From 7b1c553ca83bcf58178cfe8a24aa4e8b72e00e52 Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Tue, 19 May 2020 19:02:27 -0700
Subject: [PATCH] Started work on added JumpCloud support.

---
 meshcentral.js                      |   1 +
 public/images/login/jumpcloud32.png | Bin 0 -> 956 bytes
 public/images/login/jumpcloud64.png | Bin 0 -> 2389 bytes
 views/default.handlebars            |   3 ++-
 views/login.handlebars              |   2 ++
 webserver.js                        |  38 +++++++++++++++++++++++++++-
 6 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 public/images/login/jumpcloud32.png
 create mode 100644 public/images/login/jumpcloud64.png

diff --git a/meshcentral.js b/meshcentral.js
index d7aa06c2..ba79a458 100644
--- a/meshcentral.js
+++ b/meshcentral.js
@@ -2556,6 +2556,7 @@ function mainStart() {
                 if ((typeof config.domains[i].authstrategies.google == 'object') && (typeof config.domains[i].authstrategies.google.clientid == 'string') && (typeof config.domains[i].authstrategies.google.clientsecret == 'string') && (passport.indexOf('passport-google-oauth20') == -1)) { passport.push('passport-google-oauth20'); }
                 if ((typeof config.domains[i].authstrategies.github == 'object') && (typeof config.domains[i].authstrategies.github.clientid == 'string') && (typeof config.domains[i].authstrategies.github.clientsecret == 'string') && (passport.indexOf('passport-github2') == -1)) { passport.push('passport-github2'); }
                 if ((typeof config.domains[i].authstrategies.reddit == 'object') && (typeof config.domains[i].authstrategies.reddit.clientid == 'string') && (typeof config.domains[i].authstrategies.reddit.clientsecret == 'string') && (passport.indexOf('passport-reddit') == -1)) { passport.push('passport-reddit'); }
+                if ((typeof config.domains[i].authstrategies.saml == 'object') || (typeof config.domains[i].authstrategies.jumpcloud == 'object')) { passport.push('passport-saml'); }
             }
             if ((config.domains[i].sessionrecording != null) && (config.domains[i].sessionrecording.index == true)) { recordingIndex = true; }
         }
diff --git a/public/images/login/jumpcloud32.png b/public/images/login/jumpcloud32.png
new file mode 100644
index 0000000000000000000000000000000000000000..46f53e82670541c1b7ffa07648b142ba482bba5e
GIT binary patch
literal 956
zcmV;t14I0YP)<h;3K|Lk000e1NJLTq001BW001Be0ssI2{21+{00001b5ch_0Itp)
z=>Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>D15rstK~zXfWBmXB
zKLafR6O^VI7`1>P7`1>PAR!;T`}Y0jtG8UNtQz7X>@3VsQ9^(y3vRuB*R=D<(fd#S
zffaMJvW6OHlsZ}Pu(LrF-~og!IQj5t!t$-(e*K2>VL)9>Xi1Ep00##fUf&R~;N$n7
z4%3#t`}!TqM+Hob42+D7nqnd;mIeX3YK%}}6oAtLpy<`-uNR-Wvf}(Ts1OYBbF$~!
z7`v(~ak8<#|N4E+#q0A=U5YW$Y4oszsz3tREx7#rRoSNfci+7Sx(*obH(tK|_4hAC
zN|c*xX{_I-tGAb)x%%Pz4;ca8A_p^m4vzHI+ouM*yK5*xl)(YQ0wCkw+Yj%){rL6w
zPuj}u-dZXJ_NF&py#q?AiwbrhIJN%LO(1(lsK<djkI=l;>+f{)<=dOD-!F>xg$ls{
z)PjpoUzTjzd+YUkh-jd$T8yzy+Ugx|zkUOTtT-?C%rMXCN6(#l^lU?Ni2anMX#SSu
z<z5==?>lFWm4Xy2GZQfMfKkH42#OR?Mtk`FW7LvOaMPI?84B&qa@XwwnhxXwO?vV9
zYySG(#SUh2g8a8$y~7OE=byjva<F~<^=tR72ivaSE7-6%ZPm8F|Na4`Ko(3ta`wy5
zUtpCWAj-q@`PZ*!pT0o(VDRwWM|KvL@4tRa@$mrt4Hbm}9yZqBfBwM585#cXzWHz+
zI7mSjoOt*QEDi;~{{01JB`60D7#V?nfAId}KZgItGU8A{7zi`a*mwI8*tc--f6KKy
zKni35T229``Zr&{S;$L4`C#Cxs&M1g+uwixoqzmdLZAz<z<^4ClR%lX<+&%%p?nzl
z2~Kz*3!GIIz#>o}C&0_f%p7m3iyRVRh8n<vVL_A+A18b0!u8*NBQiEH@q{m27i+3l
z?qm)X0s{*<X&?zoMW25B^qsT%!Ml$@J}_M`iS}*Vb9~p$duU<3J}Kz<{ij{~PeS>q
zfQ^}XW*9I9KU{eF3Xm%=$iF!?l%IngnoQq*{oc0c=&l?0Ck4Chzx81CrJHE+s3$4f
z=xG-;e=SA|LI6Qd4xphvvq6cq+}T2uhZ`t}l9Pc6i-`$Xz)%yQSU?K^ie#FCQ40uy
eQ40tF1_l5RaBp^TpCW7k0000<MNUMnLSTY2Xw1<7

literal 0
HcmV?d00001

diff --git a/public/images/login/jumpcloud64.png b/public/images/login/jumpcloud64.png
new file mode 100644
index 0000000000000000000000000000000000000000..cfd10e56d26bb390cc22d948944a2b1e5c5733e0
GIT binary patch
literal 2389
zcmV-b399yqP)<h;3K|Lk000e1NJLTq002M$002M;0ssI2B@5<>00001b5ch_0Itp)
z=>Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>D2<k~hK~!i%?U)Nx
zQ}-Rm@4b2PObFp61T4ry1hpXOP~@RNwNgygsuSkUdgk%9t=l|jc6M9sX5F#%v8p|t
zZtbB4nQh(ZKt=5;8m#gx&!Gh6B_u#X0)ae9a`(H*9r8$GnCzsSlg~Mv{Qv*^fBe3`
z`~Us_zYB`vI5L;P$lp1OQ-Gs!3UD+|0glEgz|lAbI2xw_N8=RWXy&|t|H}uBLZfRI
z_1B9B<SG>%qbv#Ziw^J$VKd3cv&t+BsCgnff4@%fs8=<nLs8V+h$A=!K_mS*xp6Vu
zmPIqDRCD{RFlz#aHJU$ub?;K$Lok=H86mAFfFjX`;}{z5?R8?~nmFz}^3iiMI|6!#
z6t91AtyL^DS^o@ZRLb$}G~SYhWc~S=1p&iqO>V(Io5WJGZU<Bf_R*HCgy2Af5%+Rs
z&?pr0!OWQj0eil<cI`nYYKQM9Lc=gUZh$c!bXt_J?}q45cqbfpSMsslJg)%3<L;e>
zS8?1(*6n6IM8=o*V9*a`tlS>Ah=NUspJ(yB0`mC9cRRZAi6LtR6hSEzEHgYLYhhSy
zpg+@v4huh#4^?;d6*adCC32z%j=vfkah#V)#q7PH{ucoTqp_+>B<Oh3ERx*q=rI!R
zw<Q1~8*EDs;~rVRI+WuLEn2-nuGWB+KBheb6BaiMe^**QqSYA@{Iw-fCwQ5rq0eS!
z0wCrtH?({xsP9w^q4tl%(e3e3M>nJ+D0=<jqYG8dP2vHSP7e<PJUr4OLiQ&o1hbis
zrLx?D60u?w?vK;2X63|2ki%^<0|5$+X8+}zg7#h<HGo&=vsuf6=7o4O!NEd_tf9A0
zJgml1BRHEJK>8lrv^e4fFJnZb-GBK;d3z762`LN&J^T<|QN)!_eJ3k<Yg|l+RK6v@
zNTN~)GCc%8$)($I<=HDhq0#2?zpNKaVaaHJpTjRDFP|TX{r9c~bOyt1Vdt^3sz*{8
z*+hT`vsk5jwnAwKzqm;>U~w_f2~!=*PTv-{=*z~|H;TT3ZWnTM(!xW?9@eoeK&Lmf
z^hw}om#I|l4Eh2Nn_t^-OV|S|ZCMg|EN3lj-zHK2*KOSo`v<|vG5(zFnD8(T8#eK;
zuap(HJcfB;9{4-Cam|*c(Z9WR=R!@hd2(wosMyWj+e6r__2(`<l*n`AV~%F0k<Y9%
zRRF}(g__25_v%FoC2=Z%Z{QDJGyE8F-qOgE8#9#}?ZGRzOCNUNMkDMQjMxYm92?-j
zLm5e~G}@leum7vH1Dajvl-ggst{fXnI?dPX4dfcuz>&>MqfYWNKB;VY=lVB`gM8jt
zo%l#1bD>e9{e9!O{uYy{Ndn+b-St^%MVAOB8&Ac?31WHP+P4F?N-n>+p-+lVJNrTK
z@{oYSojjN)^=yGcH<t23P{9v)7i*giT@{d>tOJ&KyD@4H{8%_3U3dO6j_6I{gn}0h
zsFCC9wlg7iU-B{++9VlIk6W!?|HF$VmEFBy`84Z^`o2|hF!;T%?>F@IBbIJ1cvY3%
z;xmG3j=S6Lq<E+Yd$FLsO*&-mU>jIerXCv@9rg8eM^FPs*hZKETa<!ea<%$YdF?BI
z{k&T?X||^V&Xm`DE0UPUOaYwDprJXjky54la$_rIoc4AmkYCdbzE~d}3gcKV3}}&z
zDD6Bd0O$z;4c#XWFqH|%wo2rC|9*2st2H$fkOE{%^(R$z6f4WXehOr=m@bUE9<h2%
z4=%C6uu=>04Hp*2)uml7hn5H*Z_{RYHgpQ+Mx*J*^eAfKCPooBqmd@@;Ggf-kxk<Q
zu0Lp3X>o&<RZtua^74d&U7G>LWoj+tGZ1`TvJq%l#`Q-m88iiOdIX2<<>uNb>cg!&
z2`-RNs~bnPI&+nr_iiWTGd4VnYmLMi;%7&;2rrRp%Ek=1Q8*xPlMJp53y$*jGC#Ee
zoMv0&qM>k8*ojTrK~umLWBPmTPs|lkfK;h57c64L(6+uo$Ri^CU^Cd5ngFhd*Z@B`
zhz3;}BVzdIemw=l-pX2K+7-6OE(+l6SQaB4RbG40F*yXL0x?<B+ixzD0&HinaFEH>
zTKL|Lo#(g6-v<<t52gX(m%1R>&(poEty2$*QKY1y4YG{X1tEvlB-)6CP;chh%`Y*i
zl*6UvD&5l<wFbOibAc4F(3eOOtwZ?Z<BEDXAC7EDWl-tn)~TR4ljipOb*sVhzf?AY
z_3jw;m+1)$3C+mn7Z*kPa?Bm4v;D=W`D|jF9Y|lkGK@=XbsL~qFpG#ufE2JM0!}@^
z>Wc&CNtG(4Ru|8mcbd1>a<~|=Q=8JbY}Sxk4JRqAQMBu|y~zoXM;*L!EBOpxI50@|
zoW{|znwQW0?Mh2)h&P+RgLiPva+?Zp_#8Et$eS2^w*Gvfuz$#sWyGy~AUR=gY9bV>
zyF?!ds_u35PLFvU#WTWR*taS^AtX>UriVKlPTos(&40L2F{0DjG>8B?7;$7(829~G
z(z#yD{L1>bZ+v6&>7=1hSv=3TWEYVj64mi5=6**{-o+BVaoYYyk;7Rlf3za5cWC%m
zSMJ<>+-+*KZV!s=TCw;ySt(Hbu)O-%oeIo=S$<<y@bmO2%*&4O<^1V(<*7S0;FpQP
z1LcCe?Bp;qQ6;w!kQB;&bL|SULP8At`RW9)9!|qeAOEAgy_+z_)<sOXY-u3zZ=d{%
zy7$YfXKFnl85zmrmxzWHKTS!D3FJ&14N2vj8Q&YX9(XDM*p(E2c2kxogKmB;a2Q7g
z`1~v-Q97#1<(G(+Do}6ZBr%h~4cHJ9-r6sH_g0k=HpL9B2O#<F8&$q_RRHJj+nLGm
zEp2Z1WH8>#N!hb9-dr^^HJt`zN>yQ9%k_UhZj%jtz+1a6I{eeBhBM{0<l|>?<mD6?
za=fhKvu|6bPCXOgJ}KS3jqT>THNOaKObh3JKR(ub+D&Rfz&MaIL1qGOAnV^rYzdeX
ze5bu@4^9D&#wozjI0ZNwrvOLe6yRu_0vwG~fTNk?0ubasBe=_Ms6#Gl00000NkvXX
Hu0mjf2xE1<

literal 0
HcmV?d00001

diff --git a/views/default.handlebars b/views/default.handlebars
index 6e52689e..09f1bb27 100644
--- a/views/default.handlebars
+++ b/views/default.handlebars
@@ -886,7 +886,7 @@
                             </td>
                             <td style=width:20px></td>
                             <td style=width:200px;position:relative valign=top>
-                                <img id="p30userAuthServiceLogo" loading="lazy" style="display:none" class=userAuthStrategyLogo src=images/login/reddit64.png width=64 height=64>
+                                <img id="p30userAuthServiceLogo" loading="lazy" style="display:none" class=userAuthStrategyLogo width=64 height=64>
                                 <picture id=MainUserImage style=border-width:0px;height:200px;width:200px;float:right>
                                     <source type="image/webp" width=200 height=200 srcset="images/webp/user-256.webp" />
                                     <img alt="" width=200 height=200 src=images/user-256.png />
@@ -10884,6 +10884,7 @@
             else if (shortuserid.startsWith('~google:')) { QV('p30userAuthServiceLogo', true); Q('p30userAuthServiceLogo').src = 'images/login/google64.png';; }
             else if (shortuserid.startsWith('~github:')) { QV('p30userAuthServiceLogo', true); Q('p30userAuthServiceLogo').src = 'images/login/github64.png';; }
             else if (shortuserid.startsWith('~reddit:')) { QV('p30userAuthServiceLogo', true); Q('p30userAuthServiceLogo').src = 'images/login/reddit64.png';; }
+            else if (shortuserid.startsWith('~jumpcloud:')) { QV('p30userAuthServiceLogo', true); Q('p30userAuthServiceLogo').src = 'images/login/jumpcloud64.png';; }
             else if (shortuserid.startsWith('~intel:')) { QV('p30userAuthServiceLogo', true); Q('p30userAuthServiceLogo').src = 'images/login/intel64.png';; }
             else { QV('p30userAuthServiceLogo', false); }
 
diff --git a/views/login.handlebars b/views/login.handlebars
index b820a35b..75e49cfa 100644
--- a/views/login.handlebars
+++ b/views/login.handlebars
@@ -77,6 +77,7 @@
                                     <a id="auth-google" href="auth-google" style="display:none"><img src="images/login/google32.png" loading="lazy" width="32" height="32" style="margin-left:3px;margin-right:3px;border-radius:3px;box-shadow:2px 2px 5px black;cursor:pointer" title="Sign-in using Google" /></a>
                                     <a id="auth-github" href="auth-github" style="display:none"><img src="images/login/github32.png" loading="lazy" width="32" height="32" style="margin-left:3px;margin-right:3px;border-radius:3px;box-shadow:2px 2px 5px black;cursor:pointer" title="Sign-in using GitHub" /></a>
                                     <a id="auth-reddit" href="auth-reddit" style="display:none"><img src="images/login/reddit32.png" loading="lazy" width="32" height="32" style="margin-left:3px;margin-right:3px;border-radius:3px;box-shadow:2px 2px 5px black;cursor:pointer" title="Sign-in using Reddit" /></a>
+                                    <a id="auth-jumpcloud" href="auth-jumpcloud" style="display:none"><img src="images/login/jumpcloud32.png" loading="lazy" width="32" height="32" style="margin-left:3px;margin-right:3px;border-radius:3px;box-shadow:2px 2px 5px black;cursor:pointer" title="Sign-in using JumpCloud" /></a>
                                 </div>
                             </form>
                         </div>
@@ -384,6 +385,7 @@
                 if (authStrategies.indexOf('google') >= 0) { QV('auth-google', true); }
                 if (authStrategies.indexOf('github') >= 0) { QV('auth-github', true); }
                 if (authStrategies.indexOf('reddit') >= 0) { QV('auth-reddit', true); }
+                if (authStrategies.indexOf('jumpcloud') >= 0) { QV('auth-jumpcloud', true); }
             }
 
             // Display the welcome text
diff --git a/webserver.js b/webserver.js
index 7d699185..191dcdf7 100644
--- a/webserver.js
+++ b/webserver.js
@@ -2115,6 +2115,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
             if ((typeof domain.authstrategies.google == 'object') && (typeof domain.authstrategies.google.clientid == 'string') && (typeof domain.authstrategies.google.clientsecret == 'string')) { authStrategies.push('google'); }
             if ((typeof domain.authstrategies.github == 'object') && (typeof domain.authstrategies.github.clientid == 'string') && (typeof domain.authstrategies.github.clientsecret == 'string')) { authStrategies.push('github'); }
             if ((typeof domain.authstrategies.reddit == 'object') && (typeof domain.authstrategies.reddit.clientid == 'string') && (typeof domain.authstrategies.reddit.clientsecret == 'string')) { authStrategies.push('reddit'); }
+            if ((typeof domain.authstrategies.jumpcloud == 'object')) { authStrategies.push('jumpcloud'); }
             if ((typeof domain.authstrategies.intel == 'object') && (typeof domain.authstrategies.intel.clientid == 'string') && (typeof domain.authstrategies.intel.clientsecret == 'string')) { authStrategies.push('intel'); }
         }
 
@@ -4188,7 +4189,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                     ));
                     obj.app.get(url + 'auth-reddit', function (req, res, next) {
                         req.session.rstate = obj.crypto.randomBytes(32).toString('hex');
-                        domain.passport.authenticate('reddit', { state: req.session.rstate, duration: 'permanent' })(req, res, next); // TODO: Replace 'rcookie' with a time-limited cookie
+                        domain.passport.authenticate('reddit', { state: req.session.rstate, duration: 'permanent' })(req, res, next);
                     });
                     obj.app.get(url + 'auth-reddit-callback', function (req, res, next) {
                         if ((Object.keys(req.session).length == 0) && (req.query.nmr == null)) {
@@ -4208,6 +4209,41 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                         }
                     }, handleStrategyLogin);
                 }
+
+                // JumpCloud
+                if (typeof domain.authstrategies.jumpcloud == 'object') {
+                    const SamlStrategy = require('passport-saml').Strategy;
+
+                    var options = {
+                        path: url + 'auth-jumpcloud-callback',
+                        entryPoint: domain.authstrategies.jumpcloud.idpurl,
+                        issuer: 'passport-saml'
+                    };
+
+                    if (domain.authstrategies.jumpcloud.cert) {
+                        var cert = obj.fs.readFileSync(obj.path.join(obj.parent.datapath, domain.authstrategies.jumpcloud.cert));
+                        if (cert != null) { options.cert = cert.toString().split('-----BEGIN CERTIFICATE-----').join('').split('-----END CERTIFICATE-----').join(''); }
+                        //console.log(options);
+                    }
+
+                    passport.use(new SamlStrategy(options,
+                        function (profile, done) {
+                            //var user = { id: 'user/' + domain.id + '/~reddit:' + profile.id, name: profile.name };
+                            //if ((typeof profile.emails == 'object') && (profile.emails[0] != null) && (typeof profile.emails[0].value == 'string')) { user.email = profile.emails[0].value; }
+                            console.log('JumpCloud Profile', profile);
+                            var user = { id: 'user/' + domain.id + '/~jumpcloud:' + profile.id, name: profile.name };
+                            return done(null, user);
+                        }
+                    ));
+                    obj.app.get(url + 'auth-jumpcloud', function (req, res, next) {
+                        console.log('auth-jumpcloud');
+                        domain.passport.authenticate('saml', { failureRedirect: '/', failureFlash: true })(req, res, next);
+                    });
+                    obj.app.get(url + 'auth-jumpcloud-callback', function (req, res, next) {
+                        console.log('auth-jumpcloud-callback');
+                        domain.passport.authenticate('saml', { failureRedirect: '/', failureFlash: true })(req, res, next);
+                    });
+                }
             }
 
             // Server redirects