manuel.sowada/radixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add rbac + db-create script

Browse Source
This commit is contained in:
Manuel Sowada
2026-04-25 13:31:02 +00:00
parent 44f8ecdc85
commit 84c3d9f9ba
21 changed files with 908 additions and 336 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/models/authenticationGroupsModel.js Normal file
View File

@@ -0,0 +1,19 @@
const { DataTypes } = require('sequelize');
module.exports = (sequelize) => {
const AuthenticationGroups = sequelize.define('AuthenticationGroups', {
Authentication_ObjectGUID: {
type: DataTypes.UUID,
primaryKey: true
},
Group_ObjectGUID: {
type: DataTypes.UUID,
primaryKey: true
}
}, {
tableName: 'AuthenticationGroups',
timestamps: false
});
return AuthenticationGroups;
};

4
src/models/authenticationModel.js
View File

@@ -44,10 +44,6 @@ module.exports = (sequelize) => {
type: DataTypes.STRING,
allowNull: true,
},
authenticationType_ID: {
type: DataTypes.INTEGER,
allowNull: true,
},
telephoneNumber: {
type: DataTypes.STRING,
allowNull: true,

19
src/models/authenticationRolesModel.js Normal file
View File

@@ -0,0 +1,19 @@
const { DataTypes } = require('sequelize');
module.exports = (sequelize) => {
const AuthenticationRoles = sequelize.define('AuthenticationRoles', {
Authentication_ObjectGUID: {
type: DataTypes.UUID,
primaryKey: true
},
Role_ID: {
type: DataTypes.INTEGER,
primaryKey: true
}
}, {
tableName: 'AuthenticationRoles',
timestamps: false
});
return AuthenticationRoles;
};

5
src/models/eventlogView.js
View File

@@ -10,7 +10,6 @@ module.exports = (sequelize) => {
Date: { type: DataTypes.DATE },
department: { type: DataTypes.STRING },
ClearTextUser: { type: DataTypes.STRING },
ObjectTypDisplayName: { type: DataTypes.STRING },
Level_ID: { type: DataTypes.INTEGER },
LevelName: { type: DataTypes.STRING },
LevelPriority: { type: DataTypes.INTEGER },
@@ -22,8 +21,8 @@ module.exports = (sequelize) => {
Phone: { type: DataTypes.STRING },
Office: { type: DataTypes.STRING },
Adress: { type: DataTypes.STRING },
authenticationType_ID: { type: DataTypes.INTEGER },
TypeName: { type: DataTypes.STRING }
ObjectSource_ID: { type: DataTypes.INTEGER },
ObjectSourceName: { type: DataTypes.STRING },
}, {
tableName: 'vEventLog', // dein SQL-View
timestamps: false,

20
src/models/groupClosureModel.js Normal file
View File

@@ -0,0 +1,20 @@
const { DataTypes } = require('sequelize');
module.exports = (sequelize) => {
const GroupClosure = sequelize.define('GroupClosure', {
ParentGroup_ObjectGUID: {
type: DataTypes.UUID,
primaryKey: true
},
ChildGroup_ObjectGUID: {
type: DataTypes.UUID,
primaryKey: true
},
Depth: DataTypes.INTEGER
}, {
tableName: 'GroupClosure',
timestamps: false
});
return GroupClosure;
};

18
src/models/groupModel.js Normal file
View File

@@ -0,0 +1,18 @@
const { DataTypes } = require('sequelize');
module.exports = (sequelize) => {
const Group = sequelize.define('Group', {
ObjectGUID: {
type: DataTypes.UUID,
primaryKey: true
},
Name: DataTypes.STRING(255),
ObjectSource_ID: DataTypes.INTEGER,
distinguishedName: DataTypes.TEXT
}, {
tableName: 'Group',
timestamps: false
});
return Group;
};

19
src/models/groupRolesModel.js Normal file
View File

@@ -0,0 +1,19 @@
const { DataTypes } = require('sequelize');
module.exports = (sequelize) => {
const GroupRoles = sequelize.define('GroupRoles', {
Group_ObjectGUID: {
type: DataTypes.UUID,
primaryKey: true
},
Role_ID: {
type: DataTypes.INTEGER,
primaryKey: true
}
}, {
tableName: 'GroupRoles',
timestamps: false
});
return GroupRoles;
};

35
src/models/integratedStartMenuItems.json
View File

@@ -11,7 +11,10 @@
"view": "styleconfig",
"icon": "brush.png",
"permissions": [
"Administration"
{
"scope": "SYSTEM",
"action": "Administration"
}
]
},
{
@@ -23,7 +26,10 @@
"height": "900px"
},
"permissions": [
"Administration"
{
"scope": "SYSTEM",
"action": "Administration"
}
]
}
]
@@ -45,7 +51,10 @@
},
"icon": "eventlog.ico",
"permissions": [
"Administration"
{
"scope": "SYSTEM",
"action": "Administration"
}
]
}
]
@@ -67,7 +76,10 @@
},
"icon": "plugins.png",
"permissions": [
"Administration"
{
"scope": "SYSTEM",
"action": "Administration"
}
]
}
]
@@ -89,7 +101,10 @@
},
"icon": "serverinfo.png",
"permissions": [
"Administration"
{
"scope": "SYSTEM",
"action": "Administration"
}
]
}
]
@@ -111,7 +126,10 @@
},
"icon": "app.png",
"permissions": [
"*"
{
"scope": "SYSTEM",
"action": "Default_Access"
}
]
}
]
@@ -129,7 +147,10 @@
"view": "help",
"icon": "help.png",
"permissions": [
"*"
{
"scope": "SYSTEM",
"action": "Default_Access"
}
]
}
]

5
src/models/notifyTrayObjectsModel.js
View File

@@ -29,6 +29,11 @@ module.exports = (sequelize) => {
type: DataTypes.DATE,
allowNull: false,
defaultValue: DataTypes.NOW,
},
ExpiresAt: {
type: DataTypes.DATE,
allowNull: false,
defaultValue: DataTypes.NOW,
}
}, {
tableName: 'NotifyTrayObjects',

21
src/models/objectSourceModel.js Normal file
View File

@@ -0,0 +1,21 @@
const { DataTypes } = require('sequelize');
module.exports = (sequelize) => {
const ObjectSource = sequelize.define('ObjectSource', {
ID: {
type: DataTypes.INTEGER,
primaryKey: true,
autoIncrement: true
},
Name: {
type: DataTypes.STRING(100),
allowNull: false,
unique: true
}
}, {
tableName: 'ObjectSource',
timestamps: false
});
return ObjectSource;
};

20
src/models/permissionModel.js Normal file
View File

@@ -0,0 +1,20 @@
const { DataTypes } = require('sequelize');
module.exports = (sequelize) => {
const Permission = sequelize.define('Permission', {
ID: {
type: DataTypes.INTEGER,
primaryKey: true,
autoIncrement: true
},
Scope: DataTypes.STRING(100),
Resource: DataTypes.STRING(100),
Action: DataTypes.STRING(100)
}, {
tableName: 'Permission',
timestamps: false
});
return Permission;
};

19
src/models/roleModel.js Normal file
View File

@@ -0,0 +1,19 @@
const { DataTypes } = require('sequelize');
module.exports = (sequelize) => {
const Role = sequelize.define('Role', {
ID: {
type: DataTypes.INTEGER,
primaryKey: true,
autoIncrement: true
},
Name: DataTypes.STRING(255),
Description: DataTypes.TEXT,
RoleType: DataTypes.STRING(50)
}, {
tableName: 'Role',
timestamps: false
});
return Role;
};

19
src/models/rolePermissionsModel.js Normal file
View File

@@ -0,0 +1,19 @@
const { DataTypes } = require('sequelize');
module.exports = (sequelize) => {
const RolePermissions = sequelize.define('RolePermissions', {
Role_ID: {
type: DataTypes.INTEGER,
primaryKey: true
},
Permission_ID: {
type: DataTypes.INTEGER,
primaryKey: true
}
}, {
tableName: 'RolePermissions',
timestamps: false
});
return RolePermissions;
};

9
src/routes/indexRoutes.js
View File

@@ -12,11 +12,8 @@ const { doesNotReject } = require('assert');
module.exports = {
route: function(app, service) {
app.get('/', service.get('authenticationManager').authenticate(), async (req, res) => {
const startMenuItems = await global.startMenuItems(
app,
req.cookies.sAMAccountName,
service
);
console.log(req.cookies.ObjectGUID)
const startMenuItems = await global.startMenuItems(app, req.cookies.ObjectGUID, false);
res.render('desktop', { layout: 'default', startMenuItems: startMenuItems });
});
@@ -54,7 +51,7 @@ module.exports = {
res.status(204).send();
})
app.post('/api/Plugins/loadScripts', service.get('authenticationManager').authenticate(), async(req, res) => {
app.post('/api/Plugins/loadScripts', async(req, res) => {
const scripts = service.get('pluginManager').getStatus().map(plugin => {
const exists = service.get('fileSystemManager').exists(path.join(plugin.pluginPath, 'public', 'javascript', 'main.js'))

356
src/services/authenticationManager.js
View File

@@ -1,31 +1,27 @@
const jwt = require('jsonwebtoken');
const bcrypt = require('bcryptjs');
const { fn, col, where } = require('sequelize');
/**
* Authentication class for login method, token validation and password setting
*/
class AuthenticationManager {
constructor(model, secretKey) {
constructor(model, secretKey, databaseModel) {
this.Authentication = model;
this.SECRET_KEY = secretKey;
this.databaseModel = databaseModel;
}
/**
* Helper: Case-insensitive User Lookup
*/
// =========================================================
// USER
// =========================================================
async findUser(sAMAccountName) {
return await this.Authentication.findOne({
where: where(
fn('LOWER', col('sAMAccountName')),
sAMAccountName.toLowerCase()
)
return this.Authentication.findOne({
where: { sAMAccountName }
});
}
/**
* Set or reset password of user
*/
// =========================================================
// PASSWORD
// =========================================================
async setPassword(sAMAccountName, password) {
const user = await this.findUser(sAMAccountName);
@@ -33,16 +29,88 @@ class AuthenticationManager {
return { token: null, levelId: 2, message: 'Unbekannter User' };
}
const hashedPassword = await bcrypt.hash(password, 10);
user.password = hashedPassword;
user.password = await bcrypt.hash(password, 10);
await user.save();
return { token: null, levelId: 0, message: 'Passwort gesetzt' };
}
/**
* Login
*/
// =========================================================
// RBAC RESOLVER (LIVE - WICHTIG!)
// =========================================================
async resolvePermissions(objectGuid) {
const AuthenticationGroups = this.databaseModel.get('authenticationGroupsModel');
const GroupClosure = this.databaseModel.get('groupClosureModel');
const AuthenticationRoles = this.databaseModel.get('authenticationRolesModel');
const GroupRoles = this.databaseModel.get('groupRolesModel');
const RolePermissions = this.databaseModel.get('rolePermissionsModel');
const Permission = this.databaseModel.get('permissionModel');
// 1. USER GROUPS
const userGroups = await AuthenticationGroups.findAll({
where: { Authentication_ObjectGUID: objectGuid }
});
const directGroupIds = userGroups.map(g => g.Group_ObjectGUID);
// 2. NESTED GROUPS
let allGroupIds = [...directGroupIds];
if (directGroupIds.length) {
const closure = await GroupClosure.findAll({
where: { ParentGroup_ObjectGUID: directGroupIds }
});
allGroupIds.push(...closure.map(c => c.ChildGroup_ObjectGUID));
}
allGroupIds = [...new Set(allGroupIds)];
// 3. ROLES
const userRoles = await AuthenticationRoles.findAll({
where: { Authentication_ObjectGUID: objectGuid }
});
const groupRoles = await GroupRoles.findAll({
where: { Group_ObjectGUID: allGroupIds }
});
const roleIds = [
...new Set([
...userRoles.map(r => r.Role_ID),
...groupRoles.map(r => r.Role_ID)
])
];
// 4. PERMISSIONS
const rolePerms = await RolePermissions.findAll({
where: { Role_ID: roleIds }
});
const permissionIds = rolePerms.map(r => r.Permission_ID);
const permissions = await Permission.findAll({
where: { ID: permissionIds }
});
// 🔥 HIER DIE ÄNDERUNG
return {
groups: allGroupIds,
roles: roleIds,
permissions: permissions.map(p => ({
id: p.ID,
scope: p.Scope,
resource: p.Resource,
action: p.Action
}))
};
}
// =========================================================
// LOGIN (minimal change)
// =========================================================
async login(sAMAccountName, password) {
const user = await this.findUser(sAMAccountName);
@@ -55,20 +123,20 @@ class AuthenticationManager {
return { token: null, levelId: 1, message: 'Benutzer nicht registriert' };
}
const passwordMatch = await bcrypt.compare(password, user.password);
const ok = await bcrypt.compare(password, user.password);
if (!passwordMatch) {
if (!ok) {
return { token: null, levelId: 2, message: 'Falsches Passwort' };
}
const payload = {
sAMAccountName: user.sAMAccountName,
mail: user.mail,
givenName: user.givenName,
sn: user.sn
};
const token = jwt.sign(payload, this.SECRET_KEY, { expiresIn: '100y' });
const token = jwt.sign(
{
ObjectGUID: user.ObjectGUID,
sAMAccountName: user.sAMAccountName
},
this.SECRET_KEY,
{ expiresIn: '10s' }
);
user.refreshtoken = token;
user.online = true;
@@ -81,9 +149,10 @@ class AuthenticationManager {
};
}
/**
* Logout
*/
// =========================================================
// LOGOUT
// =========================================================
async logout(sAMAccountName) {
const user = await this.findUser(sAMAccountName);
@@ -98,14 +167,15 @@ class AuthenticationManager {
return { token: null, levelId: 0, message: 'Erfolgreich abgemeldet' };
}
/**
* Token prüfen
*/
// =========================================================
// VERIFY TOKEN (unchanged)
// =========================================================
async verifyUserToken(sAMAccountName) {
const user = await this.findUser(sAMAccountName);
if (!user || !user.refreshtoken) {
return { valid: false, levelId: 1, message: 'Kein gültiger Token' };
return { valid: false, levelId: 1 };
}
try {
@@ -113,42 +183,45 @@ class AuthenticationManager {
return {
valid: true,
payload,
user,
levelId: 0,
message: 'User verifiziert'
payload
};
} catch {
return {
valid: false,
levelId: 4,
message: 'Ungültiger Token'
};
return { valid: false, levelId: 4 };
}
}
/**
* Middleware
*/
// =========================================================
// 🔥 AUTH MIDDLEWARE (HIER PASSIERT DIE MAGIE)
// =========================================================
authenticate() {
return async (req, res, next) => {
try {
const sAMAccountName = req.cookies?.sAMAccountName;
const objectGUID = req.cookies?.ObjectGUID;
if (!sAMAccountName || !objectGUID) {
if (!sAMAccountName) {
return res.redirect('/login');
}
const user = await this.findUser(sAMAccountName);
if (!user || !user.refreshtoken || user.active === false) {
if (!user || !user.refreshtoken || !user.active) {
return res.redirect('/login');
}
jwt.verify(user.refreshtoken, this.SECRET_KEY);
// jwt.verify(user.refreshtoken, this.SECRET_KEY);
this.verifyUserToken(sAMAccountName)
// 🔥 LIVE RBAC RESOLUTION (bei JEDEM REQUEST)
const rbac = await this.resolvePermissions(user.ObjectGUID);
req.user = user;
req.user = {
...user.toJSON(),
groups: rbac.groups,
roles: rbac.roles,
permissions: rbac.permissions
};
console.log(req.user)
next();
} catch (err) {
console.error(err);
@@ -158,177 +231,4 @@ class AuthenticationManager {
}
}
module.exports = AuthenticationManager;
// const jwt = require('jsonwebtoken');
// const bcrypt = require('bcryptjs');
// let { levelId, message } = '';
// /**
// * Authentication class for login method, token validation and password setting
// */
// class AuthenticationManager {
// /**
// *
// * @param {object} model - Use the authentication database model for interact with the database
// * @param {string} secretKey - Defines the server secret for token validation
// */
// constructor(model, secretKey, eventManager) {
// this.eventManager = eventManager;
// // if (!model) throw new Error('Sequelize Model wird benötigt');
// // if (!secretKey) throw new Error('Secret Key wird benötigt');
// this.Authentication = model;
// this.SECRET_KEY = secretKey;
// }
// /**
// * Set or reset password of user
// * @param {string} sAMAccountName - Windows account name
// * @param {string} password - Set the new password
// */
// async setPassword(sAMAccountName, password) {
// const user = await this.Authentication.findOne({ where: { sAMAccountName } });
// if (!user) {
// // this.eventManager.write(null, 2, 0, { aboveLevel: 1 }, `User nicht gefunden`);
// levelId = 2;
// message = `Unbekannter User`
// return {token: null, levelId: levelId };
// // throw new Error(`User ${sAMAccountName} nicht gefunden`);
// }
// // if (user.password) throw new Error('Passwort bereits gesetzt');
// const hashedPassword = await bcrypt.hash(password, 10);
// user.password = hashedPassword;
// await user.save();
// }
// /**
// * Login mit Speicherung des Tokens in der Datenbank
// */
// async login(sAMAccountName, password) {
// const user = await this.Authentication.findOne({ where: { sAMAccountName } });
// if (!user) {
// //this.eventManager.write(null, 2, null, null, `User ${sAMAccountName} nicht geufunden`)
// levelId = 2;
// message = `Unbekannter Benutzer`;
// return { token: null, levelId: levelId, message: message };
// // throw new Error('Unkown user');
// }
// if (!user.password) {
// this.setPassword(sAMAccountName, password);
// // this.eventManager.write(user.ObjectGUID, 2, null, null, 'User registration initialized')
// levelId = 1;
// message = `Benutzer nicht registiert`;
// return { token: null, levelId: levelId, message: message };
// // throw new Error('User not registered');
// }
// const passwordMatch = await bcrypt.compare(password, user.password);
// if (!passwordMatch) {
// // this.eventManager.write(user.ObjectGUID, 2, null, null, 'Password doesn\'t match');
// levelId = 2;
// message = `Falsches Passwort`;
// return { token: null, levelId: levelId, message: message };
// // throw new Error('Wrong password');
// }
// // Token erzeugen
// const payload = {
// sAMAccountName: user.sAMAccountName,
// mail: user.mail,
// givenName: user.givenName,
// sn: user.sn
// };
// const token = jwt.sign(payload, this.SECRET_KEY, { expiresIn: '100y' });
// // Token in DB speichern
// user.refreshtoken = token;
// user.online = true;
// await user.save();
// // this.eventManager.write(user.ObjectGUID, 1, null, null, 'Erfolgreich angemeldet');
// levelId = 0;
// message = `Erfolgreich angemeldet`;
// return { token: token, levelId: levelId, message: message };
// }
// /**
// * Logout löscht Token aus der DB
// */
// async logout(sAMAccountName) {
// const user = await this.Authentication.findOne({ where: { sAMAccountName } });
// if (user) {
// user.refreshtoken = null;
// user.online = false;
// await user.save();
// levelId = 0;
// message = `Erfolgreich abgemeldet`;
// return { token: null, levelId: levelId, message: message };
// }
// }
// /**
// * Token-Prüfung (über DB)
// */
// async verifyUserToken(sAMAccountName) {
// const user = await this.Authentication.findOne({ where: { sAMAccountName } });
// if (!user || !user.refreshtoken) {
// levelId = 1,
// message = `Kein gültiger Token`;
// // throw new Error('Kein gespeicherter Token gefunden');
// }
// try {
// const payload = jwt.verify(user.refreshtoken, this.SECRET_KEY);
// levelId = 0;
// message = `User verifiziert`;
// return { valid: true, payload, user, levelId: levelId, message: message }
// } catch {
// levelId = 4;
// message = `Ungültiger Token`;
// return { valid: false, payload, user, levelId: levelId, message: message }
// }
// }
// /**
// * Express Middleware prüft Token direkt aus DB anhand sAMAccountNamec
// */
// authenticate() {
// return async (req, res, next) => {
// try {
// const sAMAccountName = req.cookies?.sAMAccountName;
// const objectGUID = req.cookies?.ObjectGUID;
// if (!sAMAccountName || !objectGUID) {
// return res.redirect('/login');
// // return res.status(401).json({ message: 'Kein Benutzer-Cookie gefunden' });
// }
// const user = await this.Authentication.findOne({ where: { sAMAccountName } });
// if (!user || !user.refreshtoken) {
// return res.redirect('/login');
// // return res.status(401).json({ message: 'Benutzer oder Token nicht gefunden' });
// }
// if (user.active === false) {
// return res.redirect('/login');
// // return res.status(401).json({ message: 'Benutzer ist nicht aktiv' });
// }
// // Token aus DB prüfen
// const payload = jwt.verify(user.refreshtoken, this.SECRET_KEY);
// req.user = user;
// next();
// } catch (err) {
// console.error(err);
// return res.redirect('/login');
// // res.status(401).json({ message: 'Authentifizierung fehlgeschlagen' });
// }
// };
// }
// }
// module.exports = AuthenticationManager;
module.exports = AuthenticationManager;

11
src/services/notifyTrayManager.js
View File

@@ -61,17 +61,6 @@ class notifyTrayManager {
ObjectGUID: objectGuid,
SeenAt: null
},
// include: [{
// model: this.objects,
// as: 'NotificationObject',
// required: true, // join zwingend
// where: {
// [this.objects.sequelize.Op.Or]: [
// { ExpiresAt: null },
// { ExpiresAt: { [this.objects.sequelize.Op.gt]: new Date() } }
// ]
// }
// }],
order: [[ 'SeenAt', 'ASC']]
});
}

38
src/services/pluginManager.js
View File

@@ -91,7 +91,7 @@ class PluginManager {
await this.Plugin.upsert({
Name: name,
Active: withActivate ? true : (await this.Plugin.findOne({ where: { Name: meta.live.name }})).Active,
Active: !withActivate ? meta.live.active : false,
Version: meta.live.version
});
@@ -287,27 +287,45 @@ class PluginManager {
}
}
__pluginTemplate(name, options = { }) {
__pluginTemplate(name, options = {}) {
return {
name,
description: options.description || 'Beschreibung hier einfügen',
version: options.version || `1.${new Date().getFullYear().toString().slice(-2)}.${new Date().getMonth() + 1}.${new Date().getDate()}`,
version: options.version ||
`1.${new Date().getFullYear().toString().slice(-2)}.${new Date().getMonth() + 1}.${new Date().getDate()}`,
// =========================
// MENU (RBAC READY)
// =========================
menu: {
label: name,
items: [
{
label: name,
items:[
view: "index",
defaultSize: { width: '800px', height: '600px' },
icon: "../../images/app.png",
// =========================
// RBAC PERMISSIONS
// =========================
permissions: [
{
label: name,
view: "index",
defaultSize: { width: '800px', height: '600px' },
icon: "../../images/app.png",
permissions: ["*"]
scope: name, // Plugin Scope (default = plugin name)
action: "Default_Access",
resource: "MenuItem"
}
]
}
]
},
config: options.config || {},
active: true
};
}
}
__setPermissions(pluginPath) {
if (!this.filePermissions.user && !this.filePermissions.group) return;