[FIX] CAS users can take control of Rocket.Chat accounts (#15346)

* Added new setting to determine if Rocket.Chat should trust CAS usernames by default * Change new setting to true by default if CAS was already being used.
RocketChat · Sep 18, 2019 · 078d13e · 078d13e
1 parent bd90981
commit 078d13e
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 5 deletions.
diff --git a/app/cas/server/cas_rocketchat.js b/app/cas/server/cas_rocketchat.js
@@ -12,6 +12,7 @@ Meteor.startup(function() {
 		this.add('CAS_base_url', '', { type: 'string', group: 'CAS', public: true });
 		this.add('CAS_login_url', '', { type: 'string', group: 'CAS', public: true });
 		this.add('CAS_version', '1.0', { type: 'select', values: [{ key: '1.0', i18nLabel: '1.0' }, { key: '2.0', i18nLabel: '2.0' }], group: 'CAS' });
+		this.add('CAS_trust_username', false, { type: 'boolean', group: 'CAS', public: true, i18nDescription: 'CAS_trust_username_description' });
 
 		this.section('Attribute_handling', function() {
 			// Enable/disable sync

diff --git a/app/cas/server/cas_server.js b/app/cas/server/cas_server.js
@@ -124,6 +124,7 @@ Accounts.registerLoginHandler(function(options) {
 	const syncUserDataFieldMap = settings.get('CAS_Sync_User_Data_FieldMap').trim();
 	const cas_version = parseFloat(settings.get('CAS_version'));
 	const sync_enabled = settings.get('CAS_Sync_User_Data_Enabled');
+	const trustUsername = settings.get('CAS_trust_username');
 
 	// We have these
 	const ext_attrs = {
@@ -179,11 +180,13 @@ Accounts.registerLoginHandler(function(options) {
 	if (!user) {
 		// If that user was not found, check if there's any CAS user that is currently using that username on Rocket.Chat
 		// With this, CAS login will continue to work if the user is renamed on both sides and also if the user is renamed only on Rocket.Chat.
-		const username = new RegExp(`^${ result.username }$`, 'i');
-		user = Meteor.users.findOne({ 'services.cas.external_id': { $exists: true }, username });
-		if (user) {
-			// Update the user's external_id to reflect this new username.
-			Meteor.users.update(user, { $set: { 'services.cas.external_id': result.username } });
+		if (trustUsername) {
+			const username = new RegExp(`^${ result.username }$`, 'i');
+			user = Meteor.users.findOne({ 'services.cas.external_id': { $exists: true }, username });
+			if (user) {
+				// Update the user's external_id to reflect this new username.
+				Meteor.users.update(user, { $set: { 'services.cas.external_id': result.username } });
+			}
 		}
 	}
 

diff --git a/packages/rocketchat-i18n/i18n/en.i18n.json b/packages/rocketchat-i18n/i18n/en.i18n.json
@@ -520,6 +520,8 @@
   "CAS_Sync_User_Data_Enabled_Description": "Always synchronize external CAS User data into available attributes upon login. Note: Attributes are always synced upon account creation anyway.",
   "CAS_Sync_User_Data_FieldMap": "Attribute Map",
   "CAS_Sync_User_Data_FieldMap_Description": "Use this JSON input to build internal attributes (key) from external attributes (value). External attribute names enclosed with '%' will interpolated in value strings.<br/>Example, `{\"email\":\"%email%\", \"name\":\"%firstname%, %lastname%\"}`<br/><br/>The attribute map is always interpolated. In CAS 1.0 only the `username` attribute is available. Available internal attributes are: username, name, email, rooms; rooms is a comma separated list of rooms to join upon user creation e.g: {\"rooms\": \"%team%,%department%\"} would join CAS users on creation to their team and department channel.",
+  "CAS_trust_username": "Trust CAS username",
+  "CAS_trust_username_description": "When enabled, Rocket.Chat will trust that any username from CAS belongs to the same user on Rocket.Chat.<br/>This may be needed if an user is renamed on CAS, but may also allow people to take control of Rocket.Chat accounts by renaming their own CAS users.",
   "CAS_version": "CAS Version",
   "CAS_version_Description": "Only use a supported CAS version supported by your CAS SSO service.",
   "Categories": "Categories",

diff --git a/server/startup/migrations/index.js b/server/startup/migrations/index.js
@@ -155,4 +155,5 @@ import './v154';
 import './v155';
 import './v156';
 import './v157';
+import './v158';
 import './xrun';
diff --git a/server/startup/migrations/v158.js b/server/startup/migrations/v158.js
@@ -0,0 +1,26 @@
+import { Migrations } from '../../../app/migrations/server';
+import { Settings } from '../../../app/models/server';
+import { settings } from '../../../app/settings/server';
+
+Migrations.add({
+	version: 158,
+	up() {
+		if (!settings.get('CAS_enabled')) {
+			return;
+		}
+
+		Settings.upsert({
+			_id: 'CAS_trust_username',
+		},
+		{
+			_id: 'CAS_trust_username',
+			value: true,
+			type: 'boolean',
+			group: 'CAS',
+			i18nDescription: 'CAS_trust_username_description',
+		});
+	},
+	down() {
+		// Down migration does not apply in this case
+	},
+});