启动命令
ip=ifconfig en0 |grep "inet" |grep -v "inet6"| awk '{print $2}'
./stf local --public-ip ${ip} --allow-remote --auth-type ldap --auth-options ‘["–ldap-url",“ldap:服务器地址”, “–ldap-bind-dn”,“你的账号”,"–ldap-search-dn",“DC=douyole,DC=com”, “–ldap-bind-credentials”,“ldap密码”, “–ldap-search-class”,“user”, “–ldap-search-field”, “你们公司对应的用户信息字段”]’
修改源码部分
- 源码文件地址: lib/units/auth/ldap.js
- 修改后的源码
var http = require('http')
var express = require('express')
var validator = require('express-validator')
var cookieSession = require('cookie-session')
var bodyParser = require('body-parser')
var serveStatic = require('serve-static')
var csrf = require('csurf')
var Promise = require('bluebird')
var logger = require('../../util/logger')
var requtil = require('../../util/requtil')
var ldaputil = require('../../util/ldaputil')
var jwtutil = require('../../util/jwtutil')
var pathutil = require('../../util/pathutil')
var urlutil = require('../../util/urlutil')
var lifecycle = require('../../util/lifecycle')
var url = require('url')
module.exports = function(options) {
var log = logger.createLogger('auth-ldap')
var app = express()
var server = Promise.promisifyAll(http.createServer(app))
lifecycle.observe(function() {
log.info('Waiting for client connections to end')
return server.closeAsync()
.catch(function() {
// Okay
})
})
app.set('view engine', 'pug')
app.set('views', pathutil.resource('auth/ldap/views'))
app.set('strict routing', true)
app.set('case sensitive routing', true)
app.use(cookieSession({
name: options.ssid
, keys: [options.secret]
}))
app.use(bodyParser.json())
// app.use(csrf()) // 关闭csrf验证,为了接入公司项目
app.use(validator())
app.use('/static/bower_components',
serveStatic(pathutil.resource('bower_components')))
app.use('/static/auth/ldap', serveStatic(pathutil.resource('auth/ldap')))
app.use(function(req, res, next) {
// res.cookie('XSRF-TOKEN', req.csrfToken())
next()
})
// 设置跨域问题
app.use(function(req, res, next) {
res.setHeader('Access-Control-Allow-Origin', '*')
res.setHeader('Access-Control-Allow-Methods', 'PUT, POST, GET, DELETE, OPTIONS')
res.setHeader('Access-Control-Allow-Headers', 'X-Requested-With,content-type, Authorization')
next()
})
app.get('/', function(req, res) {
res.redirect('/auth/ldap/')
})
// 不知道为什么,STF中代理过来的请求,body里面没有数据,因此采用传参数过来获取账号密码
app.get('/auth/ldap/', function(req, res) {
var log = logger.createLogger('auth-ldap')
log.info('登陆信息:get username=%s', req.body.username)
log.info('登陆信息:get body password=%s', req.body.password)
log.info('登陆信息:get url=%s', req.body.url)
log.info('请求方法:get %s ', res.headers)
log.info('请求url:%s ', req.url)
var params = url.parse(req.url, true).query
log.info('请求url:%s ', params.name)
var username = params.name
var password = params.password
log.info('请求url:%s ', username)
requtil.validate(req, function() {
}).then(function() {
return ldaputil.login(
options.ldap
, username
, password
)
})
.then(function(user) {
log.info('Authenticated "%s"', ldaputil.email(user))
var token = jwtutil.encode({
payload: {
email: ldaputil.email(user)
, name: user[options.ldap.username.field]
}
, secret: options.secret
, header: {
exp: Date.now() + 24 * 3600
}
})
res.status(200)
.json({
success: true
, redirect: urlutil.addParams(options.appUrl, {
jwt: token
})
})
})
.catch(requtil.ValidationError, function(err) {
res.status(400)
.json({
success: false
, error: 'ValidationError'
, validationErrors: err.errors
})
})
.catch(ldaputil.InvalidCredentialsError, function(err) {
log.warn('Authentication failure for "%s"', err.user)
res.status(400)
.json({
success: false
, error: 'InvalidCredentialsError'
})
})
.catch(function(err) {
log.error('Unexpected error', err.stack)
res.status(500)
.json({
success: false
, error: 'ServerError'
})
})
})
app.post('/auth/api/v1/ldap', function(req, res) {
var log = logger.createLogger('auth-ldap')
log.setLocalIdentifier(req.ip)
switch (req.accepts(['json'])) {
case 'json':
requtil.validate(req, function() {
req.checkBody('username').notEmpty()
req.checkBody('password').notEmpty()
})
.then(function() {
return ldaputil.login(
options.ldap
, req.body.username
, req.body.password
)
})
.then(function(user) {
log.info('Authenticated "%s"', ldaputil.email(user))
var token = jwtutil.encode({
payload: {
email: ldaputil.email(user)
, name: user[options.ldap.username.field]
}
, secret: options.secret
, header: {
exp: Date.now() + 24 * 3600
}
})
res.status(200)
.json({
success: true
, redirect: urlutil.addParams(options.appUrl, {
jwt: token
})
})
})
.catch(requtil.ValidationError, function(err) {
res.status(400)
.json({
success: false
, error: 'ValidationError'
, validationErrors: err.errors
})
})
.catch(ldaputil.InvalidCredentialsError, function(err) {
log.warn('Authentication failure for "%s"', err.user)
res.status(400)
.json({
success: false
, error: 'InvalidCredentialsError'
})
})
.catch(function(err) {
log.error('Unexpected error', err.stack)
res.status(500)
.json({
success: false
, error: 'ServerError'
})
})
break
default:
res.send(406)
break
}
})
server.listen(options.port)
log.info('Listening on port %d', options.port)
}
- 代理部分的代码: lib/units/poorxy/index.js
- 修改后的代码
// 跨域问题
app.use(function(req, res, next) {
res.setHeader('Access-Control-Allow-Origin', '*')
res.setHeader('Access-Control-Allow-Methods', 'PUT, POST, GET, DELETE, OPTIONS')
res.setHeader('Access-Control-Allow-Headers', 'X-Requested-With,content-type, Authorization')
next()
})
// 授权相关的接口都通过传参数进入,不知道为什么body带不过去
;['/static/auth/*', '/auth/*'].forEach(function(route) {
app.all(route, function(req, res) {
// log.info('登陆信息:proxy username=%s', req.body.username)
// log.info('登陆信息:proxy body password=%s', req.body.password)
// log.info('登陆信息:proxy url=%s', req.body.url)
log.info('监听端口:proxy port=%s', options.port)
log.info('代理权限路由:%s ', options.authUrl)
log.info('监听端口:%s ', options.port)
log.info('请求方法:%s ', res.headers)
log.info('请求url:%s ', req.url)
res.redirect(options.authUrl + req.url.replace('/', ''))
})
})