Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
new PassportGoogleStrategy(
{
clientID: googleClientId,
clientSecret: googleClientSecret,
callbackURL: publicUrl + baseUrl + '/auth/google/callback',
// This option tells the strategy to use the userinfo endpoint instead
userProfileURL: 'https://www.googleapis.com/oauth2/v3/userinfo?alt=json'
},
passportGoogleStrategyHandler
)
);
}
if (samlEntryPoint) {
passport.use(
new SamlStrategy(
{
path: '/login/callback',
entryPoint: samlEntryPoint,
issuer: samlIssuer,
callbackUrl: samlCallbackUrl,
cert: samlCert,
authnContext: samlAuthContext,
identifierFormat: null
},
async function(p, done) {
const email =
p[
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
];
const user = await usersUtil.findOneByEmail(email);
console.log(`User logged in with SAML as ${email}`);
.then((ssoconfig) => {
if (ssoconfig) {
const redirectUrl = getRedirectUrlSSO(req);
// add relay state to remember redirect url when a response is
// returned from SAML IdP in post /sso/saml route
passport.use(new SamlStrategy(
{
path: '/sso/saml',
entryPoint: ssoconfig.samlEntryPoint,
issuer: ssoconfig.samlIssuer,
additionalParams: { RelayState: redirectUrl },
}, samlAuthentication)
);
return next();
}
return res.status(httpStatus.NOT_FOUND).send('Page not found');
})
.catch(() => res.status(httpStatus.NOT_FOUND).send('Page not found'));
}
function authorizeDevice(req, res, next) {
provisioning.provision.check(provisioning.strategy, {uid: req.param('uid')}, function(err, device) {
if (err) return next(err);
if (provisioning.strategy === 'uid' && (!device || !device.registered)) {
return res.sendStatus(403);
} else {
req.device = device;
next();
}
})(req, res, next);
}
passport.use(new SamlStrategy(strategyConfig.options, function(profile, done) {
const username = profile[strategyConfig.uidAttribute];
User.getUserByAuthenticationId('saml', username, function(err, user) {
if (err) return done(err);
if (!user) {
// Create an account for the user
Role.getRole('USER_ROLE', function(err, role) {
if (err) return done(err);
var user = {
username: username,
displayName: profile[strategyConfig.displayNameAttribute],
email: profile[strategyConfig.emailAttribute],
active: false,
roleId: role._id,
authentication: {
// check whether the strategy has already been set up
if (this.isSamlStrategySetup) {
throw new Error('SamlStrategy has already been set up');
}
const { configManager } = this.crowi;
const isSamlEnabled = configManager.getConfig('crowi', 'security:passport-saml:isEnabled');
// when disabled
if (!isSamlEnabled) {
return;
}
debug('SamlStrategy: setting up..');
passport.use(
new SamlStrategy(
{
entryPoint: configManager.getConfig('crowi', 'security:passport-saml:entryPoint'),
callbackUrl: (this.crowi.appService.getSiteUrl() != null)
? urljoin(this.crowi.appService.getSiteUrl(), '/passport/saml/callback') // auto-generated with v3.2.4 and above
: configManager.getConfig('crowi', 'security:passport-saml:callbackUrl'), // DEPRECATED: backward compatible with v3.2.3 and below
issuer: configManager.getConfig('crowi', 'security:passport-saml:issuer'),
cert: configManager.getConfig('crowi', 'security:passport-saml:cert'),
},
(profile, done) => {
if (profile) {
return done(null, profile);
}
return done(null, false);
},
),
registerAuthenticationRoutes(app, passport)
{
const self = this;
let saml = require("passport-saml");
let samlStrategy = new saml.Strategy({
// URL that goes from the Identity Provider -> Service Provider
callbackUrl: self.getCallbackURl(),
// URL that goes from the Service Provider -> Identity Provider
entryPoint: self.getEntryPoint(),
// Usually specified as `/shibboleth` from site root
issuer: self.getIssuer(),
identifierFormat: null,
// Service Provider private key
decryptionPvk: self.getKey(),
// Service Provider Certificate
privateCert: self.getKey(),
// Identity Provider's public key
cert: self.getIdpCert(),
validateInResponseTo: false,
disableRequestedAuthnContext: true
}, function(profile, done) {
firstName = username.split(' ')[0];
lastName = username.split(' ')[1];
var user = { firstName: firstName, lastName: lastName, nameID: username.replace(/ /, '.').concat('@thoughtworks.com') };
function byEmail(current) { return current.nameID == user.nameID; }
if (users.filter(byEmail).length == 0) {
users.push(user);
}
return done(null, user);
}));
};
passport.use(new SamlStrategy(
{
issuer: config.auth.issuer,
path: config.auth.path,
entryPoint: config.auth.entryPoint,
cert: config.auth.cert
},
function(profile, done) {
if (!profile.nameID) {
return done(new Error("No email found"), null);
}
process.nextTick(function () {
findByEmail(profile.nameID, function(err, user) {
if (err) {
return done(err);
}
if (!user) {
(function () {
let arg = config.auth.saml;
arg.callbackURL = realm + "/auth/saml/callback";
delete arg.enabled;
delete arg.path;
passport.use(new SAMLStrategy(arg, function (profile, done) {
config.auth.saml.auth(profile, function (err, user) {
if (err) {
delete err.stack;
return done(err);
}
done(null, user);
});
}));
}());
export default function(app) {
const rekiBaseUrl = new URL(process.env.REKI_BASE_URL || 'http://localhost:3000');
const useProductionPartioID = process.env.PARTIOID_USE_PRODUCTION === 'true';
const partioIDRemoteName = useProductionPartioID ? 'id' : 'partioid-test';
const partioIdIssuer = rekiBaseUrl.href;
const partioIdEntryPoint = `https://${partioIDRemoteName}.partio.fi/simplesaml/saml2/idp/SSOService.php`;
const partioIdLogoutUrl = `https://${partioIDRemoteName}.partio.fi/simplesaml/saml2/idp/SingleLogoutService.php`;
const partioIdCertificate = fs.readFileSync(path.resolve(`./certs/partioid/${partioIDRemoteName}.crt`), 'utf-8');
const strategy = new SamlStrategy(
{
callback: new URL('/saml/consume', rekiBaseUrl).href,
issuer: partioIdIssuer,
entryPoint: partioIdEntryPoint,
cert: partioIdCertificate,
logoutUrl: partioIdLogoutUrl,
logoutCallbackUrl: 'http://localhost:3000/saml/consume-logout',
identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:transient',
},
async (profile, done) => {
try {
if (!profile || !profile.membernumber) {
done(null, false, { message: 'Jäsennumero puuttuu PartioID-vastauksesta.' });
return;
}
constructor(options) {
assert(options, 'options are required');
assert(options.cfg, 'options.cfg is required');
assert(options.cfg.sso, 'options.cfg.sso is required');
assert(options.cfg.sso.issuer, 'options.cfg.sso.issuer is required');
assert(options.cfg.sso.entryPoint, 'options.cfg.sso.entryPoint is required');
assert(options.cfg.sso.certificate, 'options.cfg.sso.certificate is required');
assert(options.authorize, 'options.authorize is required');
this.cfg = options.cfg;
this.authorize = options.authorize;
passport.use(new saml.Strategy({
issuer: options.cfg.sso.issuer,
path: '/sso/login',
entryPoint: options.cfg.sso.entryPoint,
cert: options.cfg.sso.certificate,
skipRequestCompression: true,
passReqToCallback: true,
}, this.samlCallback.bind(this)));
}
function createSamlStrategyWithRedirect(redirectUrl) {
return new SamlStrategy({
callbackUrl: `${config.saml.callbackUrl}?redirectUrl=${redirectUrl}`,
entryPoint: config.saml.entry_point,
issuer: config.saml.issuer,
acceptedClockSkewMs: -1,
identifierFormat: IDENTIFIER_FORMAT
},
(profile, done) => {
const groups = profile[SECURITY_GROUPS_SCHEMA] || [];
const requiredSecurityGroup = config.saml.securityGroupName;
if (requiredSecurityGroup && !groups.includes(requiredSecurityGroup)) {
logger.info(`User '${profile[EMAIL_ADDRESS_SCHEMA]}' attempted to log in but was not part of '${requiredSecurityGroup}' security group`);
return done(null, false);
}
return done(null, {