Pode.Web icon indicating copy to clipboard operation
Pode.Web copied to clipboard
verified publisher icon Badgerati

Webapp for service desk

Open berki7867 opened this issue 4 years ago • 7 comments

Hi,

I'm trying to write a web app for our service desk, that

  1. Authenticates the service desk operator using their "service desk" AD group
  2. takes the user name from the service desk operator for the person they want to search AD for
  3. Gets further details from AD
  4. If the service desk operator is happy that its the correct person, then pass the details to a web service to create the user on another system

I want the web app to be only accessible to the "service desk" AD group, but I can't get the authentication working. I've managed to get the HTTPs access working as well as the look up into AD.

Below is what I have so far:

Import-Module -Name Pode.Web -DisableNameChecking
Import-Module -Name ActiveDirectory 

Start-PodeServer {

    Add-PodeEndpoint -Address localhost -Port 8080 -Protocol Http -Name EndPoint

    New-PodeAuthScheme -Form | Add-PodeAuthWindowsAd -Name 'Login' -Groups @('Domain Users') -Sessionless -FailureMessage 'failed login' -FailureURL 'google.co.uk'
    Set-PodeWebLoginPage -Authentication Login

    Use-PodeWebTemplates -Title 'Example' -Theme Dark -NoPageFilter -EndpointName EndPoint
  
    Add-PodeWebPage -Name 'Add Remove Users' -Title 'Add Remove Users'  -AccessGroups 'Domain `Users'`  -Icon Activity -EndpointName EndPoint -Layouts @(
        New-PodeWebCard -Content @(
            New-PodeWebForm -Name 'User' -ScriptBlock {
                Get-ADUser -Identity $WebEvent.Data.Name -Server 'AD Server' -ErrorAction Ignore |
                Select-Object -property GivenName, Surname, UserPrincipalName |
                Out-PodeWebTextbox -Multiline -Preformat -ReadOnly
            } -Content @(
                New-PodeWebTextbox -Name 'Name'
            )
        )
    )   
}

If I use New-PodeAuthScheme -Form I get a login page where I enter my credentials, but nothing happens, just returns me back to the login page. Without any authentication, I get to the web app form and can do a AD search that successfully returns AD data.

Any pointers to put me in the right direction? ↗

berki7867 avatar Jun 30 '21 15:06 berki7867

Hey @berki7867,

In the call to Add-PodeAuthWindowsAd remove the -Sessionless switch - that should fix it for you 😄

The form will be authenticating, but no session is being created, therefore the page will auto-redirect back to the login page. The -Sessionless switch is mostly for use with REST APIs that don't require sessions.

Badgerati avatar Jun 30 '21 16:06 Badgerati

Thanks for the reply. I've removed it, but now I get the error "Sessions are required to use session persistent authentication"

What function do I need to use to use the persistent authentication?

berki7867 avatar Jul 01 '21 13:07 berki7867

@berki7867, Whoops! Yep, you'll need to use Enable-PodeSessionMiddleware. Place this above your New-PodeAuthScheme:

Enable-PodeSessionMiddleware -Secret 'schwifty' -Duration 120 -Extend

For testing you can keep the secret as "schwifty", but I'd recommend changing it to something different (it's the value used to encrypt sessions and verify them).

You can see more on login page here, and for sessions here.

Badgerati avatar Jul 01 '21 18:07 Badgerati

Thanks @Badgerati I'm making progress. I can log in now and my AD look up works as well as HTTPs.

I'm looking to restrict access to a certain windows group, currently if I use "Domain Users" I can log in, but if I specify an AD group that I'm a member of, it fails to log me in.

I'm trying to write the values of the $WebEvent.user to the screen, I've tried the command below under the Set-PodeWebLoginPage

$WebEvent | Out-Default
$WebEvent.user | Out-Default
Write-Host $WebEvent.Auth
New-PodeLoggingMethod -File -Name 'Add Remove Users' -Path 'E:\Add Remove Users' | Enable-PodeErrorLogging -Levels Error, Warning, Informational, Verbose

But nothing is written to the screen, just says "listening on the following..."

berki7867 avatar Jul 02 '21 14:07 berki7867

Hey @berki7867,

Hmm, that is strange 🤔

For the $WebEvent object, this is only available in Route, Middleware, Authentication, and Page -ScriptBlocks. If you're trying to see what groups Pode has found for you user you can output this by adding an extra scriptblock on Add-PodeAuthWindowsAd:

New-PodeAuthScheme -Form | Add-PodeAuthWindowsAd -Name 'Login' -Groups @('Domain Users') -FailureMessage 'failed login' -FailureURL 'google.co.uk' -ScriptBlock {
    param($user)
    $user | out-default
    return @{ User = $user }
}

It'll output the details to the terminal. The User outputted will contain a Groups property which is an array of all the groups you're a member of, it should hopefully also contain the group you're trying to use.

Badgerati avatar Jul 02 '21 18:07 Badgerati

Thanks for help. I'm using Out-PodeWebTable to show the results of the lookup in AD, but images don't display. What out- function can I use to display the person's image?

berki7867 avatar Jul 13 '21 21:07 berki7867

Hey @berki7867,

At the moment if you want to display an image within the table it won't work (see supported elements in a table here). However, Images should be simple to add, so I'll look into it!

Badgerati avatar Jul 15 '21 08:07 Badgerati

This was resolved by #439, due to be released in v1.0.0. Closing this issue.

Badgerati avatar Apr 30 '23 21:04 Badgerati