-
Notifications
You must be signed in to change notification settings - Fork 3
/
1726689003147-ldap-objectguid.ts
123 lines (100 loc) · 4.38 KB
/
1726689003147-ldap-objectguid.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
/**
* SudoSOS back-end API service.
* Copyright (C) 2024 Study association GEWIS
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published
* by the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* @license
*/
/**
* @module
* @hidden
*/
import { In, MigrationInterface, Not, QueryRunner } from 'typeorm';
import { getLDAPConnection, LDAPResult } from '../helpers/ad';
import ADService from '../service/ad-service';
import LDAPAuthenticator from '../entity/authenticator/ldap-authenticator';
import { UserType } from '../entity/user/user';
export class LDAPObjectGUID1726689003147 implements MigrationInterface {
public async up(queryRunner: QueryRunner): Promise<void> {
// Check if ENV vars are set
if (!process.env.LDAP_BASE || !process.env.LDAP_USER_BASE || !process.env.LDAP_SHARED_ACCOUNT_FILTER) {
console.log('LDAP_BASE, LDAP_USER_BASE, LDAP_SHARED_ACCOUNT_FILTER must be for the migration to work, skipping.');
return;
}
// Get LDAP connection
const client = await getLDAPConnection();
const adService = new ADService();
const oldUsers = await client.search(process.env.LDAP_BASE, {
filter: `(&(objectClass=user)(objectCategory=person)(memberOf:1.2.840.113556.1.4.1941:=${process.env.LDAP_USER_BASE}))`,
});
const oldOrgans = await client.search(process.env.LDAP_SHARED_ACCOUNT_FILTER, {
filter: '(CN=*)',
});
const oldGUIDs = [...oldUsers.searchEntries, ...oldOrgans.searchEntries].map((entry: any) => ({
dn: entry.dn,
objectGUID: entry.objectGUID,
}));
// Create a map of cn to old objectGUID
const oldGUIDMap = new Map(oldGUIDs.map(({ dn, objectGUID }) => [dn, objectGUID]));
// Fetch new LDAP users to get new objectGUIDs
const newUsers = await adService.getLDAPGroupMembers(client, process.env.LDAP_USER_BASE);
const newOrgans = await adService.getLDAPGroups<LDAPResult>(client, process.env.LDAP_SHARED_ACCOUNT_FILTER);
const newGUIDs = [...newUsers.searchEntries, ...newOrgans].map((entry: any) => ({
dn: entry.dn,
objectGUID: entry.objectGUID,
}));
// Create a map of cn to new objectGUID
const newGUIDMap = new Map(newGUIDs.map(({ dn, objectGUID }) => [dn, objectGUID]));
const membersToFix = new Set<number>();
await queryRunner.manager.find(LDAPAuthenticator, { where: { user: { type: UserType.MEMBER } } }).then((auths) => {
auths.forEach((auth) => {
membersToFix.add(auth.userId);
});
});
const otherToFix = new Set<number>();
await queryRunner.manager.find(LDAPAuthenticator, { where: { user: { type: Not(UserType.MEMBER) } } }).then((auths) => {
auths.forEach((auth) => {
otherToFix.add(auth.userId);
});
});
for (const [dn, objectGUID] of oldGUIDMap) {
console.info(`Checking ${dn}`);
const auth = await queryRunner.manager.findOne(LDAPAuthenticator, {
where: { UUID: objectGUID },
});
if (!auth) throw new Error(`Could not find LDAPAuthenticator for ${dn}`);
const newObjectGUID = newGUIDMap.get(dn);
if (!newObjectGUID) throw new Error(`Could not find new objectGUID for ${dn}`);
auth.UUID = newObjectGUID;
await auth.save();
membersToFix.delete(auth.userId);
otherToFix.delete(auth.userId);
}
if (membersToFix.size > 0) {
// These AD accounts have been unlinked and can be removed
const ids = Array.from(membersToFix.values());
console.error('Removing old LDAPAuthenticators:', ids);
await queryRunner.manager.delete(LDAPAuthenticator, { userId: In(ids) });
}
if (otherToFix.size > 0) {
console.error('Others to fix:', otherToFix);
throw new Error('Not all users have been fixed');
}
}
// eslint-disable-next-line @typescript-eslint/no-unused-vars
public async down(queryRunner: QueryRunner): Promise<void> {
// no-op
}
}