Added newAccountsRights to SSO strategies

common.js

@@ -269,4 +269,26 @@ module.exports.copyFile = function(source, target, cb) {
     wr.on('close', function (ex) { done(); });
     rd.pipe(wr);
     function done(err) { if (!cbCalled) { cb(err); cbCalled = true; } }
+}
+
+module.exports.meshServerRightsArrayToNumber = function (val) {
+    if (val == null) return null;
+    if (typeof val == 'number') return val;
+    if (Array.isArray(val)) {
+        var newAccRights = 0;
+        for (var j in val) {
+            var r = val[j].toLowerCase();
+            if (r == 'fulladmin') { newAccRights = 4294967295; } // 0xFFFFFFFF
+            if (r == 'serverbackup') { newAccRights |= 1; }
+            if (r == 'manageusers') { newAccRights |= 2; }
+            if (r == 'serverrestore') { newAccRights |= 4; }
+            if (r == 'fileaccess') { newAccRights |= 8; }
+            if (r == 'serverupdate') { newAccRights |= 16; }
+            if (r == 'locked') { newAccRights |= 32; }
+            if (r == 'nonewgroups') { newAccRights |= 64; }
+            if (r == 'notools') { newAccRights |= 128; }
+        }
+        return newAccRights;
+    }
+    return null;
 }

meshcentral.js

@@ -1063,23 +1063,8 @@ function CreateMeshCentralServer(config, args) {
             if ((obj.config.domains[i].auth == 'ldap') || (obj.config.domains[i].auth == 'sspi')) { obj.config.domains[i].newaccounts = 0; } // No new accounts allowed in SSPI/LDAP authentication modes.
 
             // Convert newAccountsRights from a array of strings to flags number.
-            if (obj.config.domains[i].newaccountsrights && Array.isArray(obj.config.domains[i].newaccountsrights)) {
-                var newAccRights = 0;
-                for (var j in obj.config.domains[i].newaccountsrights) {
-                    var r = obj.config.domains[i].newaccountsrights[j].toLowerCase();
-                    if (r == 'fulladmin') { newAccRights = 4294967295; } // 0xFFFFFFFF
-                    if (r == 'serverbackup') { newAccRights |= 1; }
-                    if (r == 'manageusers') { newAccRights |= 2; }
-                    if (r == 'serverrestore') { newAccRights |= 4; }
-                    if (r == 'fileaccess') { newAccRights |= 8; }
-                    if (r == 'serverupdate') { newAccRights |= 16; }
-                    if (r == 'locked') { newAccRights |= 32; }
-                    if (r == 'nonewgroups') { newAccRights |= 64; }
-                    if (r == 'notools') { newAccRights |= 128; }
-                }
-                obj.config.domains[i].newaccountsrights = newAccRights;
-            }
-            if (obj.config.domains[i].newaccountsrights && (typeof (obj.config.domains[i].newaccountsrights) != 'number')) { delete obj.config.domains[i].newaccountsrights; }
+            obj.config.domains[i].newaccountsrights = obj.common.meshServerRightsArrayToNumber(obj.config.domains[i].newaccountsrights);
+            if (typeof (obj.config.domains[i].newaccountsrights) != 'number') { delete obj.config.domains[i].newaccountsrights; }
 
             // Check if there is a web views path and/or web public path for this domain
             if ((__dirname.endsWith('/node_modules/meshcentral')) || (__dirname.endsWith('\\node_modules\\meshcentral')) || (__dirname.endsWith('/node_modules/meshcentral/')) || (__dirname.endsWith('\\node_modules\\meshcentral\\'))) {

sample-config-advanced.json

@@ -212,6 +212,7 @@
           "_disableRequestedAuthnContext": true,
           "newAccounts": true,
           "_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ],
+          "_newAccountsRights": [ "nonewgroups", "notools" ],
           "entityid": "meshcentral",
           "idpurl": "https://server/saml2",
           "cert": "saml.pem"

webserver.js

@@ -1845,6 +1845,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                     user = { type: 'user', _id: userid, name: req.user.name, email: req.user.email, creation: Math.floor(Date.now() / 1000), domain: domain.id };
                     if (req.user.email != null) { user.email = req.user.email; user.emailVerified = true; }
                     if (domain.newaccountsrights) { user.siteadmin = domain.newaccountsrights; } // New accounts automatically assigned server rights.
+                    if (domain.authstrategies[req.user.strategy].newaccountsrights) { user.siteadmin = obj.common.meshServerRightsArrayToNumber(domain.authstrategies[req.user.strategy].newaccountsrights); } // If there are specific SSO server rights, use these instead.
                     if (newAccountRealms) { user.groups = newAccountRealms; } // New accounts automatically part of some groups (Realms).
                     obj.users[userid] = user;
 
@@ -4583,7 +4584,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                                 path: (typeof domain.authstrategies.intel.callbackurl == 'string') ? domain.authstrategies.intel.callbackurl : (url + 'auth-intel-callback'),
                                 entryPoint: domain.authstrategies.intel.idpurl, issuer: 'meshcentral'
                             };
-                            if (domain.authstrategies.saml.disablerequestedauthncontext != null) { options.disableRequestedAuthnContext = domain.authstrategies.saml.disablerequestedauthncontext; }
+                            if (domain.authstrategies.intel.disablerequestedauthncontext != null) { options.disableRequestedAuthnContext = domain.authstrategies.intel.disablerequestedauthncontext; }
                             parent.debug('web', 'Adding Intel SSO with options: ' + JSON.stringify(options));
                             if (typeof domain.authstrategies.intel.entityid == 'string') { options.issuer = domain.authstrategies.intel.entityid; }
                             options.cert = cert.toString().split('-----BEGIN CERTIFICATE-----').join('').split('-----END CERTIFICATE-----').join('');