CoreID/app/routing/middleware/api/Permission.middleware.js

const { Middleware } = require('libflitter')

class PermissionMiddleware extends Middleware {
    static get services() {
        return [...super.services, 'models', 'activity']
    }

    async test(req, res, next, { check }) {
        const Policy = this.models.get('iam:Policy')

        if ( !req.additional_api_log_data ) req.additional_api_log_data = {}
        req.additional_api_log_data.permission_check = check

        // If the request was authorized using an OAuth2 bearer token,
        // make sure the associated client has permission to access this endpoint.
        if ( req?.oauth?.client ) {
            if ( !req.oauth.client.can(check) ) {
                const reason = 'oauth-permission-fail'
                const fail_activity = await this.activity.api_access_denial({
                    req,
                    reason,
                    check,
                    oauth_client_id: req.oauth.client.uuid,
                })

                req.additional_api_log_data.permission_check_succeeded = false
                req.additional_api_log_data.permission_check_activity_id = fail_activity.id

                return res.status(401)
                    .message('Insufficient permissions (OAuth2 Client).')
                    .api()
            }

            req.additional_api_log_data.permission_check_succeeded = true

            // If the oauth2 client has this permission, then allow the request to continue,
            // even if the user does not.
            // OAuth2Clients need to be able to query users via the API.
            return next()
        }

        const policy_denied = await Policy.check_user_denied(req.user, check)
        const policy_access = await Policy.check_user_access(req.user, check)

        // Make sure the user has permission
        if ( policy_denied || (!req.user.can(check) && !policy_access) ) {
            // Record the failed API access
            const reason = policy_denied ? 'iam-denial' : (!req.user.can(check) ? 'user-permission-fail' : 'iam-not-granted')
            const fail_activity = await this.activity.api_access_denial({ req, reason, check })

            req.additional_api_log_data.permission_check_succeeded = false
            req.additional_api_log_data.permission_check_reason = reason
            req.additional_api_log_data.permission_check_activity_id = fail_activity.id

            return res.status(401)
                .message('Insufficient permissions.')
                .api()
        }

        req.additional_api_log_data.permission_check_succeeded = true
        return next()
    }
}

module.exports = exports = PermissionMiddleware
Flesh out Cobalt, LDAP groups, &c. 2020-05-12 01:26:09 +00:00			`const { Middleware } = require('libflitter')`

			`class PermissionMiddleware extends Middleware {`
Add api_scope target for IAM policy 2020-05-21 02:17:07 +00:00			`static get services() {`
Expand activity tracking and add PasswordResetAlert job 2020-07-13 14:35:11 +00:00			`return [...super.services, 'models', 'activity']`
Add api_scope target for IAM policy 2020-05-21 02:17:07 +00:00			`}`

Flesh out Cobalt, LDAP groups, &c. 2020-05-12 01:26:09 +00:00			`async test(req, res, next, { check }) {`
Add api_scope target for IAM policy 2020-05-21 02:17:07 +00:00			`const Policy = this.models.get('iam:Policy')`

Guarantee additional logging data object in permission middleware 2020-10-19 15:19:01 +00:00			`if ( !req.additional_api_log_data ) req.additional_api_log_data = {}`
Add api authorization logging 2020-10-19 02:07:42 +00:00			`req.additional_api_log_data.permission_check = check`

Implement OAuth2 server, link oauth:Client and auth::Oauth2Client, implement permission checks 2020-05-17 04:55:08 +00:00			`// If the request was authorized using an OAuth2 bearer token,`
			`// make sure the associated client has permission to access this endpoint.`
			`if ( req?.oauth?.client ) {`
Expand activity tracking and add PasswordResetAlert job 2020-07-13 14:35:11 +00:00			`if ( !req.oauth.client.can(check) ) {`
			`const reason = 'oauth-permission-fail'`
Add api authorization logging 2020-10-19 02:07:42 +00:00			`const fail_activity = await this.activity.api_access_denial({`
Expand activity tracking and add PasswordResetAlert job 2020-07-13 14:35:11 +00:00			`req,`
			`reason,`
			`check,`
Permission middleware log oauth client UUID 2020-10-18 23:55:21 +00:00			`oauth_client_id: req.oauth.client.uuid,`
Expand activity tracking and add PasswordResetAlert job 2020-07-13 14:35:11 +00:00			`})`

Add api authorization logging 2020-10-19 02:07:42 +00:00			`req.additional_api_log_data.permission_check_succeeded = false`
			`req.additional_api_log_data.permission_check_activity_id = fail_activity.id`

Implement OAuth2 server, link oauth:Client and auth::Oauth2Client, implement permission checks 2020-05-17 04:55:08 +00:00			`return res.status(401)`
			`.message('Insufficient permissions (OAuth2 Client).')`
			`.api()`
Expand activity tracking and add PasswordResetAlert job 2020-07-13 14:35:11 +00:00			`}`
Allow oauth2 clients to exercise permissions independent to the user 2020-10-19 01:22:10 +00:00
Add api authorization logging 2020-10-19 02:07:42 +00:00			`req.additional_api_log_data.permission_check_succeeded = true`

Allow oauth2 clients to exercise permissions independent to the user 2020-10-19 01:22:10 +00:00			`// If the oauth2 client has this permission, then allow the request to continue,`
			`// even if the user does not.`
			`// OAuth2Clients need to be able to query users via the API.`
			`return next()`
Implement OAuth2 server, link oauth:Client and auth::Oauth2Client, implement permission checks 2020-05-17 04:55:08 +00:00			`}`

Add api_scope target for IAM policy 2020-05-21 02:17:07 +00:00			`const policy_denied = await Policy.check_user_denied(req.user, check)`
			`const policy_access = await Policy.check_user_access(req.user, check)`

Implement OAuth2 server, link oauth:Client and auth::Oauth2Client, implement permission checks 2020-05-17 04:55:08 +00:00			`// Make sure the user has permission`
Expand activity tracking and add PasswordResetAlert job 2020-07-13 14:35:11 +00:00			`if ( policy_denied \|\| (!req.user.can(check) && !policy_access) ) {`
			`// Record the failed API access`
			`const reason = policy_denied ? 'iam-denial' : (!req.user.can(check) ? 'user-permission-fail' : 'iam-not-granted')`
Add api authorization logging 2020-10-19 02:07:42 +00:00			`const fail_activity = await this.activity.api_access_denial({ req, reason, check })`

			`req.additional_api_log_data.permission_check_succeeded = false`
			`req.additional_api_log_data.permission_check_reason = reason`
			`req.additional_api_log_data.permission_check_activity_id = fail_activity.id`
Expand activity tracking and add PasswordResetAlert job 2020-07-13 14:35:11 +00:00
Flesh out Cobalt, LDAP groups, &c. 2020-05-12 01:26:09 +00:00			`return res.status(401)`
			`.message('Insufficient permissions.')`
			`.api()`
Expand activity tracking and add PasswordResetAlert job 2020-07-13 14:35:11 +00:00			`}`
Flesh out Cobalt, LDAP groups, &c. 2020-05-12 01:26:09 +00:00
Add api authorization logging 2020-10-19 02:07:42 +00:00			`req.additional_api_log_data.permission_check_succeeded = true`
Flesh out Cobalt, LDAP groups, &c. 2020-05-12 01:26:09 +00:00			`return next()`
			`}`
			`}`

			`module.exports = exports = PermissionMiddleware`