Basic UserID mapping OK

2023-10-19 19:42:33 -04:00 · 2023-10-19 19:42:33 -04:00 · b1e8e8933d
commit b1e8e8933d
parent 0c787391bb
8 changed files with 106 additions and 29 deletions
--- a/.gitignore
+++ b/.gitignore
@ -22,3 +22,5 @@ pnpm-debug.log*
 *.sw?

 .env
+
+/src/server/db
--- a/package-lock.json
+++ b/package-lock.json
@ -954,6 +954,20 @@
      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
    },
+    "node_modules/body-parser/node_modules/qs": {
+      "version": "6.11.0",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz",
+      "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==",
+      "dependencies": {
+        "side-channel": "^1.0.4"
+      },
+      "engines": {
+        "node": ">=0.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
    "node_modules/brace-expansion": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
@ -1366,6 +1380,20 @@
      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
    },
+    "node_modules/express/node_modules/qs": {
+      "version": "6.11.0",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz",
+      "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==",
+      "dependencies": {
+        "side-channel": "^1.0.4"
+      },
+      "engines": {
+        "node": ">=0.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
    "node_modules/express/node_modules/raw-body": {
      "version": "2.5.1",
      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.1.tgz",
@ -2026,20 +2054,6 @@
        "node": ">= 0.10"
      }
    },
-    "node_modules/qs": {
-      "version": "6.11.0",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz",
-      "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==",
-      "dependencies": {
-        "side-channel": "^1.0.4"
-      },
-      "engines": {
-        "node": ">=0.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
    "node_modules/range-parser": {
      "version": "1.2.1",
      "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
@ -3418,6 +3432,14 @@
          "version": "2.0.0",
          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
          "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
+        },
+        "qs": {
+          "version": "6.11.0",
+          "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz",
+          "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==",
+          "requires": {
+            "side-channel": "^1.0.4"
+          }
        }
      }
    },
@ -3744,6 +3766,14 @@
          "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
          "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
        },
+        "qs": {
+          "version": "6.11.0",
+          "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz",
+          "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==",
+          "requires": {
+            "side-channel": "^1.0.4"
+          }
+        },
        "raw-body": {
          "version": "2.5.1",
          "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.1.tgz",
@ -4195,14 +4225,6 @@
        "ipaddr.js": "1.9.1"
      }
    },
-    "qs": {
-      "version": "6.11.0",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz",
-      "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==",
-      "requires": {
-        "side-channel": "^1.0.4"
-      }
-    },
    "range-parser": {
      "version": "1.2.1",
      "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
--- a/src/server/auth/FakeAuth.ts
+++ b/src/server/auth/FakeAuth.ts
@ -3,7 +3,11 @@ export class FakeAuth implements Auth {

  async login(username: string, password: string): Promise<LoginResult> {
    if (username == 'test' && password == 'test')
-      return { displayName: 'Test User', username: 'test' }
+      return {
+        displayName: 'Test User',
+        username: 'test',
+        domain: 'test_domain'
+      }
    throw new Error('Login failed')
  }
 }
--- a/src/server/auth/LdapAuth.ts
+++ b/src/server/auth/LdapAuth.ts
@ -19,7 +19,8 @@ export class LdapAuth implements Auth {

      return {
        username,
-        displayName: search.searchEntries[0].displayName as string
+        displayName: search.searchEntries[0].displayName as string,
+        domain: this.domain
      }
    } catch (error: any) {
      console.log('Error:', error)
--- a/src/server/interfaces/Auth.ts
+++ b/src/server/interfaces/Auth.ts
@ -1,6 +1,7 @@
 type LoginResult = {
  username: string
  displayName: string
+  domain: string
  jwt?: string
 }

--- a/src/server/lib/login.ts
+++ b/src/server/lib/login.ts
@ -1,15 +1,29 @@
 import { Client } from 'ldapts'

 import { LdapAuth } from '../auth/LdapAuth'
+import { PaFirewall } from '../paloalto/PaFirewall'

-export async function login(username: string, password: string) {
+import { paHosts } from '../db/pa'
+
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'
+
+export async function login(username: string, password: string, ip: string) {
  const ldapClient = new Client({
    url: 'ldap://10.7.0.18'
  })

  const ldapAuth = new LdapAuth(ldapClient, 'ifms', 'DC=ifms,DC=edu,DC=br')

+  try {
    const user = await ldapAuth.login(username, password)

+    const pa = new PaFirewall(paHosts[0].ip, paHosts[0].key)
+
+    await pa.mapUserIDToIP(username, ip, user.domain)
+
    return user
+  } catch (error) {
+    console.log(error)
+    throw new Error('Login failed')
+  }
 }
--- a/src/server/paloalto/PaFirewall.ts
+++ b/src/server/paloalto/PaFirewall.ts
@ -0,0 +1,33 @@
+const MAP_TIMEOUT_IN_MINUTES = process.env.MAPPING_TIMEOUT || '720' // 12 horas
+
+export class PaFirewall {
+  constructor(private ip: string, private key: string) {}
+
+  async mapUserIDToIP(username: string, ip: string, domain: string) {
+    const command = this.createCommand(username, ip, domain)
+
+    const response = await fetch(
+      `https://${this.ip}/api/?type=user-id&key=${this.key}&cmd=${command}`,
+      {
+        method: 'POST'
+      }
+    )
+
+    const data = await response.text()
+
+    console.log(data)
+  }
+
+  private createCommand(username: string, ip: string, domain: string) {
+    return `
+      <uid-message>
+      <version>1.0</version>
+      <type>update</type>
+      <payload>
+        <login>
+          <entry name="ifms\\${username}" ip="${ip}" timeout="${MAP_TIMEOUT_IN_MINUTES}"/>
+        </login>
+      </payload>
+      </uid-message>`
+  }
+}
--- a/src/server/trpc.ts
+++ b/src/server/trpc.ts
@ -21,8 +21,8 @@ export const appRouter = t.router({

  login: t.procedure
    .input(z.object({ username: z.string(), password: z.string() }))
-    .mutation(async ({ input }) => {
-      return await login(input.username, input.password)
+    .mutation(async ({ input, ctx }) => {
+      return await login(input.username, input.password, getIpFromContext(ctx))
    })
 })