[NEW] Enable LDAP manual sync to deployments without EE license

rodrigok · rodrigok · commit 7f7525be77ba · 2021-11-20T18:40:31.000-03:00
diff --git a/app/api/server/api.d.ts b/app/api/server/api.d.ts
@@ -1,5 +1,7 @@
 import type { JoinPathPattern, Method, MethodOf, OperationParams, OperationResult, PathPattern, UrlParams } from '../../../definition/rest';
 import type { IUser } from '../../../definition/IUser';
+import { IMethodConnection } from '../../../definition/IMethodThisType';
+import { ITwoFactorOptions } from '../../2fa/server/code';
 
 type SuccessResult<T> = {
 	statusCode: 200;
@@ -41,9 +43,17 @@ type UnauthorizedResult<T> = {
 
 type Options = {
 	permissionsRequired?: string[];
-	twoFactorOptions?: unknown;
+	twoFactorOptions?: ITwoFactorOptions;
 	twoFactorRequired?: boolean;
 	authRequired?: boolean;
+	enterprise?: boolean;
+}
+
+type Request = {
+	method: 'GET' | 'POST' | 'PUT' | 'DELETE';
+	url: string;
+	headers: Record<string, string>;
+	body: any;
 }
 
 type ActionThis<TMethod extends Method, TPathPattern extends PathPattern, TOptions> = {
@@ -93,6 +103,8 @@ type Operations<TPathPattern extends PathPattern, TOptions extends Options = {}>
 };
 
 declare class APIClass<TBasePath extends string = '/'> {
+	processTwoFactor({ userId, request, invocation, options, connection }: { userId: string; request: Request; invocation: {twoFactorChecked: boolean}; options: Options; connection: IMethodConnection }): void;
+
 	addRoute<
 		TSubPathPattern extends string
 	>(subpath: TSubPathPattern, operations: Operations<JoinPathPattern<TBasePath, TSubPathPattern>>): void;
diff --git a/app/api/server/api.js b/app/api/server/api.js
@@ -276,7 +276,7 @@ export class APIClass extends Restivus {
 		const code = request.headers['x-2fa-code'];
 		const method = request.headers['x-2fa-method'];
 
-		checkCodeForUser({ user: userId, code, method, options, connection });
+		checkCodeForUser({ user: userId, code, method, options: options.twoFactorOptions, connection });
 
 		invocation.twoFactorChecked = true;
 	}
@@ -400,7 +400,7 @@ export class APIClass extends Restivus {
 						Accounts._setAccountData(connection.id, 'loginToken', this.token);
 
 						if (_options.twoFactorRequired) {
-							api.processTwoFactor({ userId: this.userId, request: this.request, invocation, options: _options.twoFactorOptions, connection });
+							api.processTwoFactor({ userId: this.userId, request: this.request, invocation, options: _options, connection });
 						}
 
 						result = DDP._CurrentInvocation.withValue(invocation, () => Promise.await(originalAction.apply(this))) || API.v1.success();
diff --git a/client/lib/2fa/utils.ts b/client/lib/2fa/utils.ts
@@ -4,12 +4,14 @@ import { Meteor } from 'meteor/meteor';
 export const isTotpRequiredError = (
 	error: unknown,
 ): error is Meteor.Error & { error: 'totp-required' } =>
-	(error as { error?: unknown } | undefined)?.error === 'totp-required';
+	(error as { error?: unknown } | undefined)?.error === 'totp-required' ||
+	(error as { errorType?: unknown } | undefined)?.errorType === 'totp-required';
 
 export const isTotpInvalidError = (
 	error: unknown,
 ): error is Meteor.Error & { error: 'totp-invalid' } =>
-	(error as { error?: unknown } | undefined)?.error === 'totp-invalid';
+	(error as { error?: unknown } | undefined)?.error === 'totp-invalid' ||
+	(error as { errorType?: unknown } | undefined)?.errorType === 'totp-invalid';
 
 export const isLoginCancelledError = (error: unknown): error is Meteor.Error =>
 	error instanceof Meteor.Error && error.error === Accounts.LoginCancelledError.numericError;
diff --git a/client/views/admin/settings/groups/LDAPGroupPage.tsx b/client/views/admin/settings/groups/LDAPGroupPage.tsx
@@ -19,7 +19,6 @@ function LDAPGroupPage({ _id, ...group }: ISetting): JSX.Element {
 	const syncNow = useEndpoint('POST', 'ldap.syncNow');
 	const testSearch = useEndpoint('POST', 'ldap.testSearch');
 	const ldapEnabled = useSetting('LDAP_Enable');
-	const ldapSyncEnabled = useSetting('LDAP_Background_Sync') && ldapEnabled;
 	const setModal = useSetModal();
 	const closeModal = useMutableCallback(() => setModal());
 
@@ -135,13 +134,11 @@ function LDAPGroupPage({ _id, ...group }: ISetting): JSX.Element {
 						disabled={!ldapEnabled || changed}
 						onClick={handleSearchTestButtonClick}
 					/>
-					{ldapSyncEnabled && (
-						<Button
-							children={t('LDAP_Sync_Now')}
-							disabled={!ldapSyncEnabled || changed}
-							onClick={handleSyncNowButtonClick}
-						/>
-					)}
+					<Button
+						children={t('LDAP_Sync_Now')}
+						disabled={!ldapEnabled || changed}
+						onClick={handleSyncNowButtonClick}
+					/>
 					<Button is='a' href='https://go.rocket.chat/i/ldap-docs' target='_blank'>
 						{t('LDAP_Documentation')}
 					</Button>
diff --git a/ee/server/api/api.ts b/ee/server/api/api.ts
@@ -0,0 +1,21 @@
+import { API } from '../../../app/api/server/api';
+import { use } from '../../../app/settings/server/Middleware';
+import { isEnterprise } from '../../app/license/server/license';
+
+// Overwrites two factor method to enforce 2FA check for enterprise APIs when
+// no license was provided to prevent abuse on enterprise APIs.
+API.v1.processTwoFactor = use(API.v1.processTwoFactor, function(context, next) {
+	const [params] = context;
+
+	if (params.options?.enterprise && params.options?.twoFactorRequired && !params.options.twoFactorOptions?.requireSecondFactor) {
+		params.options = {
+			...params.options,
+			twoFactorOptions: {
+				...params.options.twoFactorOptions,
+				requireSecondFactor: !isEnterprise(),
+			},
+		};
+	}
+
+	return next(params);
+});
diff --git a/ee/server/api/index.ts b/ee/server/api/index.ts
@@ -1,2 +1,3 @@
+import './api';
 import './ldap';
 import './licenses';
diff --git a/ee/server/api/ldap.ts b/ee/server/api/ldap.ts
@@ -2,9 +2,8 @@ import { hasRole } from '../../../app/authorization/server';
 import { settings } from '../../../app/settings/server';
 import { API } from '../../../app/api/server/api';
 import { LDAPEE } from '../sdk';
-import { hasLicense } from '../../app/license/server/license';
 
-API.v1.addRoute('ldap.syncNow', { authRequired: true }, {
+API.v1.addRoute('ldap.syncNow', { authRequired: true, enterprise: true, twoFactorRequired: true }, {
 	async post() {
 		if (!this.userId) {
 			throw new Error('error-invalid-user');
@@ -14,10 +13,6 @@ API.v1.addRoute('ldap.syncNow', { authRequired: true }, {
 			throw new Error('error-not-authorized');
 		}
 
-		if (!hasLicense('ldap-enterprise')) {
-			throw new Error('error-not-authorized');
-		}
-
 		if (settings.get('LDAP_Enable') !== true) {
 			throw new Error('LDAP_disabled');
 		}

Original file line number	Diff line number	Diff line change
`@@ -276,7 +276,7 @@ export class APIClass extends Restivus {`
`276`	`276`	`const code = request.headers['x-2fa-code'];`
`277`	`277`	`const method = request.headers['x-2fa-method'];`
`278`	`278`
`279`		`- checkCodeForUser({ user: userId, code, method, options, connection });`
	`279`	`+ checkCodeForUser({ user: userId, code, method, options: options.twoFactorOptions, connection });`
`280`	`280`
`281`	`281`	`invocation.twoFactorChecked = true;`
`282`	`282`	`}`
`@@ -400,7 +400,7 @@ export class APIClass extends Restivus {`
`400`	`400`	`Accounts._setAccountData(connection.id, 'loginToken', this.token);`
`401`	`401`
`402`	`402`	`if (_options.twoFactorRequired) {`
`403`		`- api.processTwoFactor({ userId: this.userId, request: this.request, invocation, options: _options.twoFactorOptions, connection });`
	`403`	`+ api.processTwoFactor({ userId: this.userId, request: this.request, invocation, options: _options, connection });`
`404`	`404`	`}`
`405`	`405`
`406`	`406`	`result = DDP._CurrentInvocation.withValue(invocation, () => Promise.await(originalAction.apply(this))) \|\| API.v1.success();`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
	`1`	`+import './api';`
`1`	`2`	`import './ldap';`
`2`	`3`	`import './licenses';`