feature/cd
parent
6f621f5891
commit
d558f21375
@ -0,0 +1,112 @@
|
||||
import CRUDBase from './CRUDBase.js'
|
||||
import { session } from '../service/Session.service.js'
|
||||
|
||||
class AppResource extends CRUDBase {
|
||||
endpoint = '/api/v1/applications'
|
||||
required_fields = ['name', 'identifier']
|
||||
permission_base = 'v1:applications'
|
||||
|
||||
item = 'Application'
|
||||
plural = 'Applications'
|
||||
|
||||
listing_definition = {
|
||||
display: `
|
||||
An application is anything that can authenticate users against ${session.get('app.name')}. Applications can have any number of associated LDAP clients, SAML service providers, and OAuth2 clients.
|
||||
`,
|
||||
columns: [
|
||||
{
|
||||
name: 'Name',
|
||||
field: 'name',
|
||||
},
|
||||
{
|
||||
name: 'Identifier',
|
||||
field: 'identifier',
|
||||
},
|
||||
{
|
||||
name: 'Description',
|
||||
field: 'description',
|
||||
},
|
||||
],
|
||||
actions: [
|
||||
{
|
||||
type: 'resource',
|
||||
position: 'main',
|
||||
action: 'insert',
|
||||
text: 'Create New',
|
||||
color: 'success',
|
||||
},
|
||||
{
|
||||
type: 'resource',
|
||||
position: 'row',
|
||||
action: 'update',
|
||||
icon: 'fa fa-edit',
|
||||
color: 'primary',
|
||||
},
|
||||
{
|
||||
type: 'resource',
|
||||
position: 'row',
|
||||
action: 'delete',
|
||||
icon: 'fa fa-times',
|
||||
color: 'danger',
|
||||
confirm: true,
|
||||
},
|
||||
],
|
||||
}
|
||||
|
||||
form_definition = {
|
||||
fields: [
|
||||
{
|
||||
name: 'Name',
|
||||
field: 'name',
|
||||
placeholder: 'Awesome App',
|
||||
required: true,
|
||||
type: 'text',
|
||||
},
|
||||
{
|
||||
name: 'Identifier',
|
||||
field: 'identifier',
|
||||
placeholder: 'awesome_app',
|
||||
required: true,
|
||||
type: 'text',
|
||||
},
|
||||
{
|
||||
name: 'Description',
|
||||
field: 'description',
|
||||
type: 'textarea',
|
||||
},
|
||||
{
|
||||
name: 'Associated LDAP Clients',
|
||||
field: 'ldap_client_ids',
|
||||
type: 'select.dynamic.multiple',
|
||||
options: {
|
||||
resource: 'ldap/Client',
|
||||
display: 'name',
|
||||
value: 'id',
|
||||
},
|
||||
},
|
||||
{
|
||||
name: 'Associated OAuth2 Clients',
|
||||
field: 'oauth_client_ids',
|
||||
type: 'select.dynamic.multiple',
|
||||
options: {
|
||||
resource: 'oauth/Client',
|
||||
display: 'name',
|
||||
value: 'id',
|
||||
},
|
||||
},
|
||||
{
|
||||
name: 'Associated SAML Service Providers',
|
||||
field: 'saml_service_provider_ids',
|
||||
type: 'select.dynamic.multiple',
|
||||
options: {
|
||||
resource: 'saml/Provider',
|
||||
display: 'name',
|
||||
value: 'id',
|
||||
},
|
||||
},
|
||||
],
|
||||
}
|
||||
}
|
||||
|
||||
const app = new AppResource()
|
||||
export { app }
|
@ -0,0 +1,77 @@
|
||||
import CRUDBase from '../CRUDBase.js'
|
||||
import { session } from '../../service/Session.service.js'
|
||||
|
||||
class GroupResource extends CRUDBase {
|
||||
endpoint = '/api/v1/auth/groups'
|
||||
required_fields = ['name']
|
||||
permission_base = 'v1:auth:groups'
|
||||
|
||||
item = 'Group'
|
||||
plural = 'Groups'
|
||||
|
||||
listing_definition = {
|
||||
display: `
|
||||
In ${session.get('app.name')}, groups are simply a tool for organizing users and assigning permissions and access in bulk. After creating and assigning users to a group, you can manage permissions for that group, and its policies will be applied to all users in that group.
|
||||
`,
|
||||
columns: [
|
||||
{
|
||||
name: 'Name',
|
||||
field: 'name',
|
||||
},
|
||||
{
|
||||
name: '# of Users',
|
||||
field: 'user_ids',
|
||||
renderer: (user_ids) => Array.isArray(user_ids) ? user_ids.length : 0,
|
||||
},
|
||||
],
|
||||
actions: [
|
||||
{
|
||||
type: 'resource',
|
||||
position: 'main',
|
||||
action: 'insert',
|
||||
text: 'Create New',
|
||||
color: 'success',
|
||||
},
|
||||
{
|
||||
type: 'resource',
|
||||
position: 'row',
|
||||
action: 'update',
|
||||
icon: 'fa fa-edit',
|
||||
color: 'primary',
|
||||
},
|
||||
{
|
||||
type: 'resource',
|
||||
position: 'row',
|
||||
action: 'delete',
|
||||
icon: 'fa fa-times',
|
||||
color: 'danger',
|
||||
confirm: true,
|
||||
},
|
||||
],
|
||||
}
|
||||
|
||||
form_definition = {
|
||||
fields: [
|
||||
{
|
||||
name: 'Name',
|
||||
field: 'name',
|
||||
placeholder: 'Some Cool Users',
|
||||
required: true,
|
||||
type: 'text',
|
||||
},
|
||||
{
|
||||
name: 'Users',
|
||||
field: 'user_ids',
|
||||
type: 'select.dynamic.multiple',
|
||||
options: {
|
||||
resource: 'auth/User',
|
||||
display: (user) => `${user.last_name}, ${user.first_name} (${user.uid})`,
|
||||
value: 'id',
|
||||
},
|
||||
},
|
||||
],
|
||||
}
|
||||
}
|
||||
|
||||
const auth_group = new GroupResource()
|
||||
export { auth_group }
|
@ -0,0 +1,140 @@
|
||||
import CRUDBase from '../CRUDBase.js'
|
||||
import { session } from '../../service/Session.service.js'
|
||||
|
||||
class PolicyResource extends CRUDBase {
|
||||
endpoint = '/api/v1/iam/policy'
|
||||
required_fields = ['entity_id', 'entity_type', 'target_id', 'target_type', 'access_type']
|
||||
permission_base = 'v1:iam:policy'
|
||||
|
||||
item = 'IAM Policy'
|
||||
plural = 'IAM Policies'
|
||||
|
||||
listing_definition = {
|
||||
display: `
|
||||
Identity & Access Management (IAM) policies give you fine grained control over which ${session.get('app.name')} users and groups are allowed to access which applications.
|
||||
<br><br>
|
||||
An IAM policy has three parts. First, is the subject. The subject is who the policy applies to and is either a user or a group. The second part is the access type. This is either an allowance or a denial. That is, the policy either grants a subject access to a resource, or explicitly denies them access. The final part of the policy is the target. This is the application that the subject is being granted or denied access to.
|
||||
<br><br>
|
||||
Note that IAM policies can be overlapping. So, ${session.get('app.name')}'s policy engine follows a few basic rules when deciding what policies take precedence:
|
||||
<br><br>
|
||||
<ol>
|
||||
<li>User policy takes precedence over group policy.</li>
|
||||
<li>Denials take precedence over approvals.</li>
|
||||
<li>Denials by default.</li>
|
||||
</ol>
|
||||
This means, for example, that if a user's group is allowed access, but a user is denied access, the user will be denied access. Likewise, if there are two policies for a subject, one granting them access and one denying them access, the denial will take precedence.
|
||||
`,
|
||||
columns: [
|
||||
{
|
||||
name: 'Subject',
|
||||
field: 'entity_display',
|
||||
},
|
||||
{
|
||||
name: 'Access Type',
|
||||
field: 'access_type',
|
||||
renderer: access_type => access_type === 'deny' ? '...is denied access to...' : '...is granted access to...',
|
||||
},
|
||||
{
|
||||
name: 'Target',
|
||||
field: 'target_display',
|
||||
},
|
||||
],
|
||||
actions: [
|
||||
{
|
||||
type: 'resource',
|
||||
position: 'main',
|
||||
action: 'insert',
|
||||
text: 'Create New',
|
||||
color: 'success',
|
||||
},
|
||||
{
|
||||
type: 'resource',
|
||||
position: 'row',
|
||||
action: 'update',
|
||||
icon: 'fa fa-edit',
|
||||
color: 'primary',
|
||||
},
|
||||
{
|
||||
type: 'resource',
|
||||
position: 'row',
|
||||
action: 'delete',
|
||||
icon: 'fa fa-times',
|
||||
color: 'danger',
|
||||
confirm: true,
|
||||
},
|
||||
],
|
||||
}
|
||||
|
||||
form_definition = {
|
||||
fields: [
|
||||
{
|
||||
name: 'Subject Type',
|
||||
field: 'entity_type',
|
||||
required: true,
|
||||
type: 'select',
|
||||
options: [
|
||||
{ display: 'User', value: 'user' },
|
||||
{ display: 'Group', value: 'group' },
|
||||
],
|
||||
},
|
||||
{
|
||||
name: 'Subject',
|
||||
field: 'entity_id',
|
||||
required: true,
|
||||
type: 'select.dynamic',
|
||||
options: {
|
||||
resource: 'auth/User',
|
||||
display: user => `User: ${user.last_name}, ${user.first_name} (${user.uid})`,
|
||||
value: 'id',
|
||||
},
|
||||
if: (form_data) => form_data.entity_type === 'user',
|
||||
},
|
||||
{
|
||||
name: 'Subject',
|
||||
field: 'entity_id',
|
||||
required: true,
|
||||
type: 'select.dynamic',
|
||||
options: {
|
||||
resource: 'auth/Group',
|
||||
display: group => `Group: ${group.name} (${group.user_ids.length} users)`,
|
||||
value: 'id',
|
||||
},
|
||||
if: (form_data) => form_data.entity_type === 'group',
|
||||
},
|
||||
{
|
||||
name: 'Access Type',
|
||||
field: 'access_type',
|
||||
required: true,
|
||||
type: 'select',
|
||||
options: [
|
||||
{ display: '...is granted access to...', value: 'allow' },
|
||||
{ display: '...is denied access to...', value: 'deny' },
|
||||
],
|
||||
},
|
||||
{
|
||||
name: 'Target Type',
|
||||
field: 'target_type',
|
||||
required: true,
|
||||
type: 'select',
|
||||
options: [
|
||||
{ display: 'Application', value: 'application' },
|
||||
],
|
||||
},
|
||||
{
|
||||
name: 'Target',
|
||||
field: 'target_id',
|
||||
required: true,
|
||||
type: 'select.dynamic',
|
||||
options: {
|
||||
resource: 'App',
|
||||
display: 'name',
|
||||
value: 'id',
|
||||
},
|
||||
if: (form_data) => form_data.target_type === 'application'
|
||||
},
|
||||
],
|
||||
}
|
||||
}
|
||||
|
||||
const iam_policy = new PolicyResource()
|
||||
export { iam_policy }
|
@ -0,0 +1,107 @@
|
||||
import CRUDBase from '../CRUDBase.js'
|
||||
import { session } from '../../service/Session.service.js';
|
||||
|
||||
class ClientResource extends CRUDBase {
|
||||
endpoint = '/api/v1/oauth/clients'
|
||||
required_fields = ['name', 'redirect_url', 'api_scopes']
|
||||
permission_base = 'v1:oauth:clients'
|
||||
|
||||
item = 'OAuth2 Client'
|
||||
plural = 'OAuth2 Clients'
|
||||
|
||||
listing_definition = {
|
||||
display: `
|
||||
OAuth2 clients are applications that support authentication over the OAuth2 protocol. This allows you to add a "Sign-In with XXX" button for ${session.get('app.name')} to the application in question. To do this, you need to create an OAuth2 client for that application, and provide the name, redirect URL, and API scopes.
|
||||
<br><br>
|
||||
You must select the API scopes to grant this OAuth2 client. This defines what ${session.get('app.name')} endpoints the application is allowed to access. For most applications, granting the <code>v1:api:users:get</code> and <code>v1:api:groups:get</code> API scopes should be sufficient.
|
||||
<br><br>
|
||||
This method can also be used to access the API for other purposes. Hence, the expansive API scopes. ${session.get('app.name')} uses Flitter-Auth's built-in OAuth2 server under the hood, so you can find details on how to configure the OAuth2 clients <a href="https://flitter.garrettmills.dev/tutorial-flitter-auth-oauth2-server.html" target="_blank">here.</a>
|
||||
`,
|
||||
columns: [
|
||||
{
|
||||
name: 'Client Name',
|
||||
field: 'name',
|
||||
},
|
||||
{
|
||||
name: '# of Scopes',
|
||||
field: 'api_scopes',
|
||||
renderer: (api_scopes) => api_scopes.length,
|
||||
},
|
||||
{
|
||||
name: 'Redirect URL',
|
||||
field: 'redirect_url',
|
||||
},
|
||||
],
|
||||
actions: [
|
||||
{
|
||||
type: 'resource',
|
||||
position: 'main',
|
||||
action: 'insert',
|
||||
text: 'Create New',
|
||||
color: 'success',
|
||||
},
|
||||
{
|
||||
type: 'resource',
|
||||
position: 'row',
|
||||
action: 'update',
|
||||
icon: 'fa fa-edit',
|
||||
color: 'primary',
|
||||
},
|
||||
{
|
||||
type: 'resource',
|
||||
position: 'row',
|
||||
action: 'delete',
|
||||
icon: 'fa fa-times',
|
||||
color: 'danger',
|
||||
confirm: true,
|
||||
},
|
||||
],
|
||||
}
|
||||
|
||||
form_definition = {
|
||||
fields: [
|
||||
{
|
||||
name: 'Client Name',
|
||||
field: 'name',
|
||||
placeholder: 'Awesome External App',
|
||||
required: true,
|
||||
type: 'text',
|
||||
},
|
||||
{
|
||||
name: 'Redirect URL',
|
||||
field: 'redirect_url',
|
||||
placeholder: 'https://awesome.app/oauth2/callback',
|
||||
required: true,
|
||||
type: 'text',
|
||||
},
|
||||
{
|
||||
name: 'API Scopes',
|
||||
field: 'api_scopes',
|
||||
type: 'select.dynamic.multiple',
|
||||
options: {
|
||||
resource: 'reflect/Scope',
|
||||
display: 'scope',
|
||||
value: 'scope',
|
||||
},
|
||||
required: true,
|
||||
},
|
||||
{
|
||||
name: 'Client ID',
|
||||
field: 'uuid',
|
||||
type: 'text',
|
||||
readonly: true,
|
||||
hidden: ['insert'],
|
||||
},
|
||||
{
|
||||
name: 'Client Secret',
|
||||
field: 'secret',
|
||||
type: 'text',
|
||||
readonly: true,
|
||||
hidden: ['insert'],
|
||||
},
|
||||
],
|
||||
}
|
||||
}
|
||||
|
||||
const oauth_client = new ClientResource()
|
||||
export { oauth_client }
|
@ -0,0 +1,13 @@
|
||||
import CRUDBase from '../CRUDBase.js'
|
||||
|
||||
class ScopeResource extends CRUDBase {
|
||||
endpoint = '/api/v1/reflect/scopes'
|
||||
required_fields = ['scope']
|
||||
permission_base = 'v1:reflect:scopes'
|
||||
|
||||
item = 'API Scope'
|
||||
plural = 'API Scopes'
|
||||
}
|
||||
|
||||
const reflect_scope = new ScopeResource()
|
||||
export { reflect_scope }
|
@ -0,0 +1,89 @@
|
||||
import CRUDBase from '../CRUDBase.js'
|
||||
|
||||
class TokenResource extends CRUDBase {
|
||||
endpoint = '/api/v1/reflect/tokens'
|
||||
required_fields = ['client_id']
|
||||
permission_base = 'v1:reflect:tokens'
|
||||
|
||||
item = 'API Token'
|
||||
plural = 'API Tokens'
|
||||
|
||||
listing_definition = {
|
||||
display: `
|
||||
This allows you to create bearer tokens manually to allow for easier testing of the API. Notably, this is meant as a measure for testing and development, not for long term use.
|
||||
<br><br>
|
||||
If you have an application that needs to regularly interact with the API, set it up as an <a href="/dash/c/listing/oauth/Client">OAuth2 Client</a>. Manually-created tokens expire 7 days after their creation.
|
||||
`,
|
||||
columns: [
|
||||
{
|
||||
name: 'Token',
|
||||
field: 'token',
|
||||
},
|
||||
{
|
||||
name: 'Client',
|
||||
field: 'client_display',
|
||||
},
|
||||
{
|
||||
name: 'Expires',
|
||||
field: 'expires',
|
||||
},
|
||||
],
|
||||
actions: [
|
||||
{
|
||||
type: 'resource',
|
||||
position: 'main',
|
||||
action: 'insert',
|
||||
text: 'Create New',
|
||||
color: 'success',
|
||||
},
|
||||
{
|
||||
type: 'resource',
|
||||
position: 'row',
|
||||
action: 'update',
|
||||
icon: 'fa fa-edit',
|
||||
color: 'primary',
|
||||
},
|
||||
{
|
||||
type: 'resource',
|
||||
position: 'row',
|
||||
action: 'delete',
|
||||
icon: 'fa fa-times',
|
||||
color: 'danger',
|
||||
confirm: true,
|
||||
},
|
||||
],
|
||||
}
|
||||
|
||||
form_definition = {
|
||||
fields: [
|
||||
{
|
||||
name: 'Client',
|
||||
field: 'client_id',
|
||||
required: true,
|
||||
type: 'select.dynamic',
|
||||
options: {
|
||||
resource: 'oauth/Client',
|
||||
display: 'name',
|
||||
value: 'uuid',
|
||||
},
|
||||
},
|
||||
{
|
||||
name: 'Bearer Token',
|
||||
field: 'token',
|
||||
type: 'text',
|
||||
readonly: true,
|
||||
hidden: ['insert'],
|
||||
},
|
||||
{
|
||||
name: 'Expires',
|
||||
field: 'expires',
|
||||
type: 'text',
|
||||
readonly: true,
|
||||
hidden: ['insert'],
|
||||
},
|
||||
],
|
||||
}
|
||||
}
|
||||
|
||||
const reflect_token = new TokenResource()
|
||||
export { reflect_token }
|
@ -0,0 +1,272 @@
|
||||
const { Controller } = require('libflitter')
|
||||
|
||||
class AppController extends Controller {
|
||||
static get services() {
|
||||
return [...super.services, 'models', 'utility']
|
||||
}
|
||||
|
||||
async get_applications(req, res, next) {
|
||||
const Application = this.models.get('Application')
|
||||
const applications = await Application.find({ active: true })
|
||||
const data = []
|
||||
|
||||
for ( const app of applications ) {
|
||||
if ( req.user.can(`app:${app.id}:view`) ) {
|
||||
data.push(await app.to_api())
|
||||
}
|
||||
}
|
||||
|
||||
return res.api(data)
|
||||
}
|
||||
|
||||
async get_application(req, res, next) {
|
||||
const Application = this.models.get('Application')
|
||||
const application = await Application.findById(req.params.id)
|
||||
|
||||
if ( !application || !application.active )
|
||||
return res.status(404)
|
||||
.message('Application not found with that ID.')
|
||||
.api()
|
||||
|
||||
if ( !req.user.can(`app:${application.id}:view`) )
|
||||
return res.status(401)
|
||||
.message('Insufficient permissions.')
|
||||
.api()
|
||||
|
||||
return res.api(await application.to_api())
|
||||
}
|
||||
|
||||
async create_application(req, res, next) {
|
||||
const Application = this.models.get('Application')
|
||||
|
||||
if ( !req.user.can('app:create') )
|
||||
return res.status(401)
|
||||
.message('Insufficient permissions.')
|
||||
.api()
|
||||
|
||||
const required_fields = ['name', 'identifier']
|
||||
for ( const field of required_fields ) {
|
||||
if ( !req.body[field] )
|
||||
return res.status(400)
|
||||
.message(`Missing required field: ${field}`)
|
||||
.api()
|
||||
}
|
||||
|
||||
// Make sure the identifier is properly formatted
|
||||
if ( !(new RegExp('^[a-zA-Z0-9_]*$')).test(req.body.identifier) )
|
||||
return res.status(400)
|
||||
.message('Improperly formatted field: identifier (alphanumeric with underscores only)')
|
||||
.api()
|
||||
|
||||
// Make sure the identifier is unique
|
||||
const existing_app = await Application.findOne({ identifier: req.body.identifier })
|
||||
if ( existing_app )
|
||||
return res.status(400)
|
||||
.message('An Application with that identifier already exists.')
|
||||
.api()
|
||||
|
||||
const application = new Application({
|
||||
name: req.body.name,
|
||||
identifier: req.body.identifier,
|
||||
description: req.body.description,
|
||||
})
|
||||
|
||||
// Verify LDAP client IDs
|
||||
const LDAPClient = this.models.get('ldap:Client')
|
||||
if ( req.body.ldap_client_ids ) {
|
||||
const parsed = typeof req.body.ldap_client_ids === 'string' ? this.utility.infer(req.body.ldap_client_ids) : req.body.ldap_client_ids
|
||||
const ldap_client_ids = Array.isArray(parsed) ? parsed : [parsed]
|
||||
for ( const id of ldap_client_ids ) {
|
||||
const client = await LDAPClient.findById(id)
|
||||
if ( !client || !client.active || !req.user.can(`ldap:client:${client.id}:view`) )
|
||||
return res.status(400)
|
||||
.message(`Invalid ldap_client_id: ${id}`)
|
||||
.api()
|
||||
|
||||
const other_assoc_app = await Application.findOne({ ldap_client_ids: client.id })
|
||||
if ( other_assoc_app )
|
||||
return res.status(400)
|
||||
.message(`The LDAP client ${client.name} is already associated with an existing application (${other_assoc_app.name}).`)
|
||||
.api()
|
||||
}
|
||||
|
||||
application.ldap_client_ids = ldap_client_ids
|
||||
}
|
||||
|
||||
// Verify OAuth client IDs
|
||||
const OAuthClient = this.models.get('oauth:Client')
|
||||
if ( req.body.oauth_client_ids ) {
|
||||
const parsed = typeof req.body.oauth_client_ids === 'string' ? this.utility.infer(req.body.oauth_client_ids) : req.body.oauth_client_ids
|
||||
const oauth_client_ids = Array.isArray(parsed) ? parsed : [parsed]
|
||||
for ( const id of oauth_client_ids ) {
|
||||
const client = await OAuthClient.findById(id)
|
||||
if ( !client || !client.active || !req.user.can(`oauth:client:${client.id}:view`) )
|
||||
return res.status(400)
|
||||
.message(`Invalid oauth_client_id: ${id}`)
|
||||
.api()
|
||||
|
||||
const other_assoc_app = await Application.findOne({ oauth_client_ids: client.id })
|
||||
if ( other_assoc_app )
|
||||
return res.status(400)
|
||||
.message(`The OAuth2 client ${client.name} is already associated with an existing application (${other_assoc_app.name}).`)
|
||||
.api()
|
||||
}
|
||||
|
||||
application.oauth_client_ids = oauth_client_ids
|
||||
}
|
||||
|
||||
// Verify SAML service provider IDs
|
||||
const ServiceProvider = this.models.get('saml:ServiceProvider')
|
||||
if ( req.body.saml_service_provider_ids ) {
|
||||
const parsed = typeof req.body.saml_service_provider_ids === 'string' ? this.utility.infer(req.body.saml_service_provider_ids) : req.body.saml_service_provider_ids
|
||||
const saml_service_provider_ids = Array.isArray(parsed) ? parsed : [parsed]
|
||||
for ( const id of saml_service_provider_ids ) {
|
||||
const provider = await ServiceProvider.findById(id)
|
||||
if ( !provider || !provider.active || !req.user.can(`saml:provider:${provider.id}:view`) )
|
||||
return res.status(400)
|
||||
.message(`Invalid saml_service_provider_id: ${id}`)
|
||||
.api()
|
||||
|
||||
const other_assoc_app = await Application.findOne({ saml_service_provider_ids: provider.id })
|
||||
if ( other_assoc_app )
|
||||
return res.status(400)
|
||||
.message(`The SAML service provider ${provider.name} is already associated with an existing application (${other_assoc_app.name}).`)
|
||||
.api()
|
||||
}
|
||||
|
||||
application.saml_service_provider_ids = saml_service_provider_ids
|
||||
}
|
||||
|
||||
await application.save()
|
||||
return res.api(await application.to_api())
|
||||
}
|
||||
|
||||
async update_application(req, res, next) {
|
||||
const Application = this.models.get('Application')
|
||||
const application = await Application.findById(req.params.id)
|
||||
|
||||
if ( !application || !application.active )
|
||||
return res.status(404)
|
||||
.message('Application not found with that ID.')
|
||||
.api()
|
||||
|
||||
if ( !req.user.can(`app:${application.id}:update`) )
|
||||
return res.status(401)
|
||||
.message('Insufficient permissions.')
|
||||
.api()
|
||||
|
||||
const required_fields = ['name', 'identifier']
|
||||
for ( const field of required_fields ) {
|
||||
if ( !req.body[field] )
|
||||
return res.status(400)
|
||||
.message(`Missing required field: ${field}`)
|
||||
.api()
|
||||
}
|
||||
|
||||
// Make sure the identifier is properly formatted
|
||||
if ( !(new RegExp('^[a-zA-Z0-9_]*$')).test(req.body.identifier) )
|
||||
return res.status(400)
|
||||
.message('Improperly formatted field: identifier (alphanumeric with underscores only)')
|
||||
.api()
|
||||
|
||||
// Make sure the identifier is unique
|
||||
const existing_app = await Application.findOne({ identifier: req.body.identifier })
|
||||
if ( existing_app && existing_app.id !== application.id )
|
||||
return res.status(400)
|
||||
.message('An Application with that identifier already exists.')
|
||||
.api()
|
||||
|
||||
// Verify LDAP client IDs
|
||||
const LDAPClient = this.models.get('ldap:Client')
|
||||
if ( req.body.ldap_client_ids ) {
|
||||
const parsed = typeof req.body.ldap_client_ids === 'string' ? this.utility.infer(req.body.ldap_client_ids) : req.body.ldap_client_ids
|
||||
const ldap_client_ids = Array.isArray(parsed) ? parsed : [parsed]
|
||||
for ( const id of ldap_client_ids ) {
|
||||
const client = await LDAPClient.findById(id)
|
||||
if ( !client || !client.active || !req.user.can(`ldap:client:${client.id}:view`) )
|
||||
return res.status(400)
|
||||
.message(`Invalid ldap_client_id: ${id}`)
|
||||
.api()
|
||||
|
||||
const other_assoc_app = await Application.findOne({ ldap_client_ids: client.id })
|
||||
if ( other_assoc_app && other_assoc_app.id !== application.id )
|
||||
return res.status(400)
|
||||
.message(`The LDAP client ${client.name} is already associated with an existing application (${other_assoc_app.name}).`)
|
||||
.api()
|
||||
}
|
||||
|
||||
application.ldap_client_ids = ldap_client_ids
|
||||
} else application.ldap_client_ids = []
|
||||
|
||||
// Verify OAuth client IDs
|
||||
const OAuthClient = this.models.get('oauth:Client')
|
||||
if ( req.body.oauth_client_ids ) {
|
||||
const parsed = typeof req.body.oauth_client_ids === 'string' ? this.utility.infer(req.body.oauth_client_ids) : req.body.oauth_client_ids
|
||||
const oauth_client_ids = Array.isArray(parsed) ? parsed : [parsed]
|
||||
for ( const id of oauth_client_ids ) {
|
||||
const client = await OAuthClient.findById(id)
|
||||
if ( !client || !client.active || !req.user.can(`oauth:client:${client.id}:view`) )
|
||||
return res.status(400)
|
||||
.message(`Invalid oauth_client_id: ${id}`)
|
||||
.api()
|
||||
|
||||
const other_assoc_app = await Application.findOne({ oauth_client_ids: client.id })
|
||||
if ( other_assoc_app && other_assoc_app.id !== application.id )
|
||||
return res.status(400)
|
||||
.message(`The OAuth2 client ${client.name} is already associated with an existing application (${other_assoc_app.name}).`)
|
||||
.api()
|
||||
}
|
||||
|
||||
application.oauth_client_ids = oauth_client_ids
|
||||
} else application.oauth_client_ids = []
|
||||
|
||||
// Verify SAML service provider IDs
|
||||
const ServiceProvider = this.models.get('saml:ServiceProvider')
|
||||
if ( req.body.saml_service_provider_ids ) {
|
||||
const parsed = typeof req.body.saml_service_provider_ids === 'string' ? this.utility.infer(req.body.saml_service_provider_ids) : req.body.saml_service_provider_ids
|
||||
const saml_service_provider_ids = Array.isArray(parsed) ? parsed : [parsed]
|
||||
for ( const id of saml_service_provider_ids ) {
|
||||
const provider = await ServiceProvider.findById(id)
|
||||
if ( !provider || !provider.active || !req.user.can(`saml:provider:${provider.id}:view`) )
|
||||
return res.status(400)
|
||||
.message(`Invalid saml_service_provider_id: ${id}`)
|
||||
.api()
|
||||
|
||||
const other_assoc_app = await Application.findOne({ saml_service_provider_ids: provider.id })
|
||||
if ( other_assoc_app && other_assoc_app.id !== application.id )
|
||||
return res.status(400)
|
||||
.message(`The SAML service provider ${provider.name} is already associated with an existing application (${other_assoc_app.name}).`)
|
||||
.api()
|
||||
}
|
||||
|
||||
application.saml_service_provider_ids = saml_service_provider_ids
|
||||
} else application.saml_service_provider_ids = []
|
||||
|
||||
application.name = req.body.name
|
||||
application.identifier = req.body.identifier
|
||||
application.description = req.body.description
|
||||
await application.save()
|
||||
return res.api(await application.to_api())
|
||||
}
|
||||
|
||||
async delete_application(req, res, next) {
|
||||
const Application = this.models.get('Application')
|
||||
const application = await Application.findById(req.params.id)
|
||||
|
||||
if ( !application || !application.active )
|
||||
return res.status(404)
|
||||
.message('Application not found with that ID.')
|
||||
.api()
|
||||
|
||||
if ( !req.user.can(`app:${application.id}:delete`) )
|
||||
return res.status(401)
|
||||
.message('Insufficient permissions.')
|
||||
.api()
|
||||
|
||||
application.active = false
|
||||
await application.save()
|
||||
return res.api()
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = AppController
|
@ -0,0 +1,236 @@
|
||||
const { Controller } = require('libflitter')
|
||||
|
||||
class IAMController extends Controller {
|
||||
static get services() {
|
||||
return [...super.services, 'models']
|
||||
}
|
||||
|
||||
async check_entity_access(req, res, next) {
|
||||
const Policy = this.models.get('iam:Policy')
|
||||
|
||||
if ( !req.body.entity_id && !req.body.target_id )
|
||||
return res.status(400)
|
||||
.message('Missing one or more required fields: entity_id, target_id')
|
||||
.api()
|
||||
|
||||
return res.api(await Policy.check_entity_access(req.body.entity_id, req.body.target_id))
|
||||
}
|
||||
|
||||
async check_user_access(req, res, next) {
|
||||
const User = this.models.get('auth:User')
|
||||
const Policy = this.models.get('iam:Policy')
|
||||
|
||||
if ( !req.body.target_id )
|
||||
return res.status(400)
|
||||
.message('Missing required field: target_id')
|
||||
.api()
|
||||
|
||||
let user = req.user
|
||||
if ( req.body.user_id && req.body.user_id !== 'me' )
|
||||
user = await User.findById(req.body.user_id)
|
||||
|
||||
if ( !user )
|
||||
return res.status(404)
|
||||
.message('User not found with that ID.')
|
||||
.api()
|
||||
|
||||
if ( !req.user.can(`auth:user:${user.id}:view`) )
|
||||
return res.status(401)
|
||||
.message('Insufficient permissions.')
|
||||
.api()
|
||||
|
||||
return res.api(await Policy.check_user_access(user, req.body.target_id))
|
||||
}
|
||||
|
||||
async get_policies(req, res, next) {
|
||||
const Policy = this.models.get('iam:Policy')
|
||||
const policies = await Policy.find({ active: true })
|
||||
const data = []
|
||||
|
||||
for ( const policy of policies ) {
|
||||
if ( req.user.can(`iam:policy:${policy.id}:view`) ) {
|
||||
data.push(await policy.to_api())
|
||||
}
|
||||
}
|
||||
|
||||
return res.api(data)
|
||||
}
|
||||
|
||||
async get_policy(req, res, next) {
|
||||
const Policy = this.models.get('iam:Policy')
|
||||
const policy = await Policy.findById(req.params.id)
|
||||
|
||||
if ( !policy )
|
||||
return res.status(404)
|
||||
.message('Policy not found with that ID.')
|
||||
.api()
|
||||
|
||||
if ( !req.user.can(`iam:policy:${policy.id}:view`) )
|
||||
return res.status(401)
|
||||
.message('Insufficient permissions.')
|
||||
.api()
|
||||
|
||||
return res.api(await policy.to_api())
|
||||
}
|
||||
|
||||
async create_policy(req, res, next) {
|
||||
const Policy = this.models.get('iam:Policy')
|
||||
|
||||
const required_fields = ['entity_type', 'entity_id', 'access_type', 'target_type', 'target_id']
|
||||
for ( const field of required_fields ) {
|
||||
if ( !req.body[field] )
|
||||
return res.status(400)
|
||||
.message(`Missing required field: ${field}`)
|
||||
.api()
|
||||
}
|
||||
|
||||
if ( !['user', 'group'].includes(req.body.entity_type) )
|
||||
return res.status(400)
|
||||
.message('Invalid entity_type. Must be one of: user, group.')
|
||||
.api()
|
||||
|
||||
// Make sure the entity_id is valid
|
||||
if ( req.body.entity_type === 'user' ) {
|
||||
const User = this.models.get('auth:User')
|
||||
const user = await User.findById(req.body.entity_id)
|
||||
if ( !user || !req.user.can(`auth:user:${user.id}:view`) )
|
||||
return res.status(400)
|
||||
.message('Invalid entity_id.')
|
||||
.api()
|
||||
} else if ( req.body.entity_type === 'group' ) {
|
||||
const Group = this.models.get('auth:Group')
|
||||
const group = await Group.findById(req.body.entity_id)
|
||||
if ( !group || !group.active || !req.user.can(`auth:group:${group.id}:view`) )
|
||||
return res.status(400)
|
||||
.message('Invalid entity_id.')
|
||||
.api()
|
||||
}
|
||||
|
||||
if ( !['allow', 'deny'].includes(req.body.access_type) )
|
||||
return res.status(400)
|
||||
.message('Invalid access_type. Must be one of: allow, deny.')
|
||||
.api()
|
||||
|
||||
if ( !['application'].includes(req.body.target_type) )
|
||||
return res.status(400)
|
||||
.message('Invalid target_type. Must be one of: application.')
|
||||
.api()
|
||||
|
||||
// Make sure the target_id is valid
|
||||
if ( req.body.target_type === 'application' ) {
|
||||
const Application = this.models.get('Application')
|
||||
const app = await Application.findById(req.body.target_id)
|
||||
if ( !app || !app.active || !req.user.can(`app:${app.id}:view`) )
|
||||
return res.status(400)
|
||||
.message('Invalid target_id.')
|
||||
.api()
|
||||
}
|
||||
|
||||
const policy = new Policy({
|
||||
entity_type: req.body.entity_type,
|
||||
entity_id: req.body.entity_id,
|
||||
access_type: req.body.access_type,
|
||||
target_type: req.body.target_type,
|
||||
target_id: req.body.target_id,
|
||||
})
|
||||
|
||||
await policy.save()
|
||||
req.user.allow(`iam:policy:${policy.id}`)
|
||||
await req.user.save()
|
||||
return res.api(await policy.to_api())
|
||||
}
|
||||
|
||||
async update_policy(req, res, next) {
|
||||
const Policy = this.models.get('iam:Policy')
|
||||
const policy = await Policy.findById(req.params.id)
|
||||
|
||||
if ( !policy || !policy.active )
|
||||
return res.status(404)
|
||||
.message('Policy not found with that ID.')
|
||||
.api()
|
||||
|
||||
if ( !req.user.can(`iam:policy:${policy.id}:update`) )
|
||||
return res.status(401)
|
||||
.message('Insufficient permissions.')
|
||||
.api()
|
||||
|
||||
const required_fields = ['entity_type', 'entity_id', 'access_type', 'target_type', 'target_id']
|
||||
for ( const field of required_fields ) {
|
||||
if ( !req.body[field] )
|
||||
return res.status(400)
|
||||
.message(`Missing required field: ${field}`)
|
||||
.api()
|
||||
}
|
||||
|
||||
if ( !['user', 'group'].includes(req.body.entity_type) )
|
||||
return res.status(400)
|
||||
.message('Invalid entity_type. Must be one of: user, group.')
|
||||
.api()
|
||||
|
||||
// Make sure the entity_id is valid
|
||||
if ( req.body.entity_type === 'user' ) {
|
||||
const User = this.models.get('auth:User')
|
||||
const user = await User.findById(req.body.entity_id)
|
||||
if ( !user || !req.user.can(`auth:user:${user.id}:view`) )
|
||||
return res.status(400)
|
||||
.message('Invalid entity_id.')
|
||||
.api()
|
||||
} else if ( req.body.entity_type === 'group' ) {
|
||||
const Group = this.models.get('auth:Group')
|
||||
const group = await Group.findById(req.body.entity_id)
|
||||
if ( !group || !group.active || !req.user.can(`auth:group:${group.id}:view`) )
|
||||
return res.status(400)
|
||||
.message('Invalid entity_id.')
|
||||
.api()
|
||||
}
|
||||
|
||||
if ( !['allow', 'deny'].includes(req.body.access_type) )
|
||||
return res.status(400)
|
||||
.message('Invalid access_type. Must be one of: allow, deny.')
|
||||
.api()
|
||||
|
||||
if ( !['application'].includes(req.body.target_type) )
|
||||
return res.status(400)
|
||||
.message('Invalid target_type. Must be one of: application.')
|
||||
.api()
|
||||
|
||||
// Make sure the target_id is valid
|
||||
if ( req.body.target_type === 'application' ) {
|
||||
const Application = this.models.get('Application')
|
||||
const app = await Application.findById(req.body.target_id)
|
||||
if ( !app || !app.active || !req.user.can(`app:${app.id}:view`) )
|
||||
return res.status(400)
|
||||
.message('Invalid target_id.')
|
||||
.api()
|
||||
}
|
||||
|
||||
policy.entity_type = req.body.entity_type
|
||||
policy.entity_id = req.body.entity_id
|
||||
policy.access_type = req.body.access_type
|
||||
policy.target_type = req.body.target_type
|
||||
policy.target_id = req.body.target_id
|
||||
await policy.save()
|
||||
return res.api()
|
||||
}
|
||||
|
||||
async delete_policy(req, res, next) {
|
||||
const Policy = this.models.get('iam:Policy')
|
||||
const policy = await Policy.findById(req.params.id)
|
||||
|
||||
if ( !policy || !policy.active )
|
||||
return res.status(404)
|
||||
.message('Policy not found with that ID.')
|
||||
.api()
|
||||
|
||||
if ( !req.user.can(`iam:policy:${policy.id}:delete`) )
|
||||
return res.status(401)
|
||||
.message('Insufficient permissions.')
|
||||
.api()
|
||||
|
||||
policy.active = false
|
||||
await policy.save()
|
||||
return res.api()
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = IAMController
|
@ -0,0 +1,136 @@
|
||||
const { Controller } = require('libflitter')
|
||||
const is_absolute_url = require('is-absolute-url')
|
||||
|
||||
class OAuthController extends Controller {
|
||||
static get services() {
|
||||
return [...super.services, 'models']
|
||||
}
|
||||
|
||||
async get_clients(req, res, next) {
|
||||
const Client = this.models.get('oauth:Client')
|
||||
const clients = await Client.find({ active: true })
|
||||
const data = []
|
||||
|
||||
for ( const client of clients ) {
|
||||
if ( req.user.can(`oauth:client:${client.id}:view`) ) {
|
||||
data.push(await client.to_api())
|
||||
}
|
||||
}
|
||||
|
||||
return res.api(data)
|
||||
}
|
||||
|
||||
async get_client(req, res, next) {
|
||||
const Client = this.models.get('oauth:Client')
|
||||
const client = await Client.findById(req.params.id)
|
||||
|
||||
if ( !client || !client.active )
|
||||
return res.status(404)
|
||||
.message('Client not found with that ID.')
|
||||
.api()
|
||||
|
||||
if ( !req.user.can(`oauth:client:${client.id}:view`) )
|
||||
return res.status(401)
|
||||
.message('Insufficient permissions.')
|
||||
.api()
|
||||
|
||||
return res.api(await client.to_api())
|
||||
}
|
||||
|
||||
async create_client(req, res, next) {
|
||||
if ( !req.user.can('oauth:client:create') )
|
||||
return res.status(401)
|
||||
.message('Insufficient permissions.')
|
||||
.api()
|
||||
|
||||
const required_fields = ['name', 'api_scopes', 'redirect_url']
|
||||
for ( const field of required_fields ) {
|
||||
if ( !req.body[field] )
|
||||
return res.status(400)
|
||||
.message(`Missing required field: ${field}`)
|
||||
.api()
|
||||
}
|
||||
|
||||
if ( !Array.isArray(req.body.api_scopes) ) {
|
||||
return res.status(400)
|
||||
.message(`Improperly formatted field: api_scopes (should be array)`)
|
||||
.api()
|
||||
}
|
||||
|
||||
if ( !is_absolute_url(req.body.redirect_url) )
|
||||
return res.status(400)
|
||||
.message(`Improperly formatted field: redirect_url (should be absolute URL)`)
|
||||
.api()
|
||||
|
||||
const Client = this.models.get('oauth:Client')
|
||||
const client = new Client({
|
||||
name: req.body.name,
|
||||
api_scopes: req.body.api_scopes,
|
||||
redirect_url: req.body.redirect_url,
|
||||
})
|
||||
|
||||
await client.save()
|
||||
return res.api(await client.to_api())
|
||||
}
|
||||
|
||||
async update_client(req, res, next) {
|
||||
const Client = this.models.get('oauth:Client')
|
||||
const client = await Client.findById(req.params.id)
|
||||
|
||||
if ( !client || !client.active )
|
||||
return res.status(404)
|
||||
.message('Client not found with that ID.')
|
||||
.api()
|
||||
|
||||
if ( !req.user.can(`oauth:client:${client.id}:update`) )
|
||||
return res.status(401)
|
||||
.message('Insufficient permissions.')
|
||||
.api()
|
||||
|
||||
const required_fields = ['name', 'api_scopes', 'redirect_url']
|
||||
for ( const field of required_fields ) {
|
||||
if ( !req.body[field] )
|
||||
return res.status(400)
|
||||
.message(`Missing required field: ${field}`)
|
||||
.api()
|
||||
}
|
||||
|
||||
if ( !Array.isArray(req.body.api_scopes) )
|
||||
return res.status(400)
|
||||
.message(`Improperly formatted field: api_scopes (should be array)`)
|
||||
.api()
|
||||
|
||||
if ( !is_absolute_url(req.body.redirect_url) )
|
||||
return res.status(400)
|
||||
.message(`Improperly formatted field: redirect_url (should be absolute URL)`)
|
||||
.api()
|
||||
|
||||
client.name = req.body.name
|
||||
client.api_scopes = req.body.api_scopes
|
||||
client.redirect_url = req.body.redirect_url
|
||||
|
||||
await client.save()
|
||||
return res.api()
|
||||
}
|
||||
|
||||
async delete_client(req, res, next) {
|
||||
const Client = this.models.get('oauth:Client')
|
||||
const client = await Client.findById(req.params.id)
|
||||
|
||||
if ( !client || !client.active )
|
||||
return res.status(404)
|
||||
.message('Client not found with that ID.')
|
||||
.api()
|
||||
|
||||
if ( !req.user.can(`oauth:client:${client.id}:delete`) )
|
||||
return res.status(401)
|
||||
.message('Insufficient permissions.')
|
||||
.api()
|
||||
|
||||
client.active = false
|
||||
await client.save()
|
||||
return res.api()
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = OAuthController
|
@ -0,0 +1,184 @@
|
||||
const { Controller } = require('libflitter')
|
||||
const uuid = require('uuid/v4')
|
||||
|
||||
class ReflectController extends Controller {
|
||||
static get services() {
|
||||
return [...super.services, 'routers', 'models']
|
||||
}
|
||||
|
||||
async get_tokens(req, res, next) {
|
||||
const Oauth2BearerToken = this.models.get('auth::Oauth2BearerToken')
|
||||
const tokens = await Oauth2BearerToken.find({
|
||||
expires: { $gt: new Date },
|
||||
userID: req.user.id,
|
||||
})
|
||||
|
||||
const Client = this.models.get('oauth:Client')
|
||||
const data = []
|
||||
for ( const token of tokens ) {
|
||||
const client = await Client.findOne({ uuid: token.clientID })
|
||||
let client_display = client && client.active ? client.name : '(Non-existent Client)'
|
||||
|
||||
data.push({
|
||||
id: token.id,
|
||||
token: token.accessToken,
|
||||
client_id: token.clientID,
|
||||
client_display,
|
||||
expires: token.expires,
|
||||
user_id: token.userID,
|
||||
})
|
||||
}
|
||||
|
||||
return res.api(data)
|
||||
}
|
||||
|
||||
async get_token(req, res, next) {
|
||||
const Oauth2BearerToken = this.models.get('auth::Oauth2BearerToken')
|
||||
const token = await Oauth2BearerToken.findById(req.params.id)
|
||||
|
||||
if ( !token || token.userID !== req.user.id || token.expires <= new Date )
|
||||
return res.status(404)
|
||||
.message('Token not found with that ID, or expired.')
|
||||
.api()
|
||||
|
||||
return res.api({
|
||||
id: token.id,
|
||||
token: token.accessToken,
|
||||
client_id: token.clientID,
|
||||
expires: token.expires,
|
||||
user_id: token.userID,
|
||||
})
|
||||
}
|
||||
|
||||
async create_token(req, res, next) {
|
||||
const Oauth2BearerToken = this.models.get('auth::Oauth2BearerToken')
|
||||
|
||||
if ( !req.body.client_id )
|
||||
return res.status(400)
|
||||
.message('Missing required field: client_id')
|
||||
.api()
|
||||
|
||||
const Client = this.models.get('oauth:Client')
|
||||
const client = await Client.findOne({uuid: req.body.client_id})
|
||||
if ( !client || !client.active )
|
||||
return res.status(400)
|
||||
.message('Invalid client_id.')
|
||||
.api()
|
||||
|
||||
if ( !req.user.can(`oauth:client:${client.id}:view`) )
|
||||
return res.status(401)
|
||||
.message('Insufficient permissions.')
|
||||
.api()
|
||||
|
||||
const expires = new Date()
|
||||
expires.setDate(expires.getDate() + 7)
|
||||
|
||||
const token = new Oauth2BearerToken({
|
||||
accessToken: String(uuid()).replace(/-/g, ''),
|
||||
clientID: client.uuid,
|
||||
expires,
|
||||
userID: req.user.id,
|
||||
})
|
||||
|
||||
await token.save()
|
||||
return res.api({
|
||||
id: token.id,
|
||||
token: token.accessToken,
|
||||
client_id: token.clientID,
|
||||
expires: token.expires,
|
||||
user_id: token.userID,
|
||||
})
|
||||
}
|
||||
|
||||
async update_token(req, res, next) {
|
||||
const Oauth2BearerToken = this.models.get('auth::Oauth2BearerToken')
|
||||
const token = await Oauth2BearerToken.findById(req.params.id)
|
||||
|
||||
if ( !token || token.userID !== req.user.id || token.expires <= new Date )
|
||||
return res.status(404)
|
||||
.message('Token not found with that ID, or expired.')
|
||||
.api()
|
||||
|
||||
if ( !req.body.client_id )
|
||||
return res.status(400)
|
||||
.message('Missing required field: client_id')
|
||||
.api()
|
||||
|
||||
const Client = this.models.get('oauth:Client')
|
||||
const client = await Client.findOne({uuid: req.body.client_id})
|
||||
|
||||
if ( !client || !client.active || !req.user.can(`oauth:client:${client.id}:view`) )
|
||||
return res.status(400)
|
||||
.message('Invalid client_id.')
|
||||
.api()
|
||||
|
||||
token.client_id = client.uuid
|
||||
await token.save()
|
||||
return res.api()
|
||||
}
|
||||
|
||||
async delete_token(req, res, next) {
|
||||
const Oauth2BearerToken = this.models.get('auth::Oauth2BearerToken')
|
||||
const token = await Oauth2BearerToken.findById(req.params.id)
|
||||
|
||||
if ( !token || token.userID !== req.user.id || token.expires <= new Date )
|
||||
return res.status(404)
|
||||
.message('Token not found with that ID, or expired.')
|
||||
.api()
|
||||
|
||||
await token.delete()
|
||||
return res.api()
|
||||
}
|
||||
|
||||
async get_scopes(req, res, next) {
|
||||
const routers = this.routers.canonical_items
|
||||
const scopes = []
|
||||
|
||||
for ( const prefix in routers ) {
|
||||
if ( !routers.hasOwnProperty(prefix) ) continue
|
||||
const router = routers[prefix].schema
|
||||
|
||||
const supported_verbs = ['get', 'post', 'put', 'delete', 'copy', 'patch']
|
||||
for ( const verb of supported_verbs ) {
|
||||
if ( typeof router[verb] === 'object' ) {
|
||||
const defs = router[verb]
|
||||
for ( const def of Object.values(defs) ) {
|
||||
if ( Array.isArray(def) ) {
|
||||
for ( const layer of def ) {
|
||||
if ( Array.isArray(layer) && layer.length > 1 && layer[0] === 'middleware::api:Permission' ) {
|
||||
if ( typeof layer[1] === 'object' && layer[1].check ) {
|
||||
scopes.push(layer[1].check)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
scopes.sort()
|
||||
return res.api(scopes.map(x => {
|
||||
return { scope: x }
|
||||
}))
|
||||
}
|
||||
|
||||
async check_permissions(req, res, next) {
|
||||
if ( !req.body.permissions )
|
||||
return res.status(400)
|
||||
.message('Missing permissions to check.')
|
||||
.api()
|
||||
|
||||
const parsed = typeof req.body.permissions === 'string' ? this.utility.infer(req.body.permissions) : req.body.permissions
|
||||
const permissions = Array.isArray(parsed) ? parsed : [parsed]
|
||||
|
||||
const returns = {}
|
||||
for ( const permission of permissions ) {
|
||||
returns[permission] = req.user.can(permission)
|
||||
}
|
||||
|
||||
return res.api(returns)
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = ReflectController
|
@ -0,0 +1,29 @@
|
||||
const { Model } = require('flitter-orm')
|
||||
|
||||
class ApplicationModel extends Model {
|
||||
static get schema() {
|
||||
return {
|
||||
name: String,
|
||||
identifier: String,
|
||||
description: String,
|
||||
active: { type: Boolean, default: true },
|
||||
saml_service_provider_ids: [String],
|
||||
ldap_client_ids: [String],
|
||||
oauth_client_ids: [String],
|
||||
}
|
||||
}
|
||||
|
||||
async to_api() {
|
||||
return {
|
||||
id: this.id,
|
||||
name: this.name,
|
||||
identifier: this.identifier,
|
||||
description: this.description,
|
||||
saml_service_provider_ids: this.saml_service_provider_ids,
|
||||
ldap_client_ids: this.ldap_client_ids,
|
||||
oauth_client_ids: this.oauth_client_ids,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = ApplicationModel
|
@ -0,0 +1,35 @@
|
||||
const { Model } = require('flitter-orm')
|
||||
|
||||
// For organizational purposes only.
|
||||
class GroupModel extends Model {
|
||||
static get services() {
|
||||
return [...super.services, 'models']
|
||||
}
|
||||
|
||||
static get schema() {
|
||||
return {
|
||||
name: String,
|
||||
user_ids: [String],
|
||||
active: { type: Boolean, default: true },
|
||||
}
|
||||
}
|
||||
|
||||
identifier() {
|
||||
return this.name.toLowerCase().replace(/\s/g, '_')
|
||||
}
|
||||
|
||||
async users() {
|
||||
const User = this.models.get('auth:User')
|
||||
return await User.find({ _id: { $in: this.user_ids.map(x => this.constructor.to_object_id(x)) } })
|
||||
}
|
||||
|
||||
async to_api() {
|
||||
return {
|
||||
id: this.id,
|
||||
name: this.name,
|
||||
user_ids: this.user_ids,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = GroupModel
|
@ -0,0 +1,127 @@
|
||||
const { Model } = require('flitter-orm')
|
||||
|
||||
// TODO - remove specific :create checks; auto-grant permissions on create
|
||||
|
||||
class PolicyModel extends Model {
|
||||
static get services() {
|
||||
return [...super.services, 'models']
|
||||
}
|
||||
|
||||
static get schema() {
|
||||
return {
|
||||
entity_type: String, // user | group
|
||||
entity_id: String,
|
||||
access_type: String, // allow | deny
|
||||
target_type: { type: String, default: 'application' }, // application
|
||||
target_id: String,
|
||||
active: { type: Boolean, default: true },
|
||||
}
|
||||
}
|
||||
|
||||
static async check_allow(entity_id, target_id) {
|
||||
const policies = await this.find({
|
||||
entity_id,
|
||||
target_id,
|
||||
access_type: 'allow',
|
||||
active: true,
|
||||
})
|
||||
|
||||
return policies.length > 0
|
||||
}
|
||||
|
||||
static async check_deny(entity_id, target_id) {
|
||||
const policies = await this.find({
|
||||
entity_id,
|
||||
target_id,
|
||||
access_type: 'deny',
|
||||
active: true,
|
||||
})
|
||||
|
||||
return policies.length === 0
|
||||
}
|
||||
|
||||
static async check_entity_access(entity_id, target_id) {
|
||||
return (await this.check_allow(entity_id, target_id)) && !(await this.check_deny(entity_id, target_id))
|
||||
}
|
||||
|
||||
static async check_user_access(user, target_id) {
|
||||
const groups = await user.groups()
|
||||
const group_ids = groups.map(x => x.id)
|
||||
|
||||
const user_approvals = await this.find({
|
||||
entity_id: user.id,
|
||||
target_id,
|
||||
approval_type: 'allow',
|
||||
active: true,
|
||||
})
|
||||
|
||||
const user_denials = await this.find({
|
||||
entity_id: user.id,
|
||||
target_id,
|
||||
approval_type: 'deny',
|
||||
active: true,
|
||||
})
|
||||
|
||||
const group_approvals = await this.find({
|
||||
entity_id: { $in: group_ids },
|
||||
target_id,
|
||||
approval_type: 'allow',
|
||||
active: true,
|
||||
})
|
||||
|
||||
const group_denials = await this.find({
|
||||
entity_id: { $in: group_ids },
|
||||
target_id,
|
||||
approval_type: 'deny',
|
||||
active: true,
|
||||
})
|
||||
|
||||
// IF user has explicit denial, deny
|
||||
if ( user_denials.length > 0 ) return false
|
||||
|
||||
// ELSE IF user has explicit approval, approve
|
||||
if ( user_approvals.length > 0 ) return true
|
||||
|
||||
// ELSE IF group has denial, deny
|
||||
if ( group_denials.length > 0 ) return false
|
||||
|
||||
// ELSE IF group has approval, approve
|
||||
if ( group_approvals.length > 0 ) return true
|
||||
|
||||
// ELSE deny
|
||||
return false
|
||||
}
|
||||
|
||||
async to_api() {
|
||||
let entity_display = ''
|
||||
if ( this.entity_type === 'user' ) {
|
||||
const User = this.models.get('auth:User')
|
||||
const user = await User.findById(this.entity_id)
|
||||
entity_display = `User: ${user.last_name}, ${user.first_name} (${user.uid})`
|
||||
} else if ( this.entity_type === 'group' ) {
|
||||
const Group = this.models.get('auth:Group')
|
||||
const group = await Group.findById(this.entity_id)
|
||||
entity_display = `Group: ${group.name} (${group.user_ids.length} users)`
|
||||
}
|
||||
|
||||
let target_display = ''
|
||||
if ( this.target_type === 'application' ) {
|
||||
const Application = this.models.get('Application')
|
||||
const app = await Application.findById(this.target_id)
|
||||
target_display = `Application: ${app.name}`
|
||||
}
|
||||
|
||||
return {
|
||||
id: this.id,
|
||||
entity_display,
|
||||
entity_type: this.entity_type,
|
||||
entity_id: this.entity_id,
|
||||
access_type: this.access_type,
|
||||
target_display,
|
||||
target_type: this.target_type,
|
||||
target_id: this.target_id,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = PolicyModel
|
@ -0,0 +1,95 @@
|
||||
const { Model } = require('flitter-orm')
|
||||
const uuid = require('uuid/v4')
|
||||
|
||||
/*
|
||||
* OAuth2 Client Model
|
||||
* ---------------------------------------------------
|
||||
* Represents a single OAuth2 client. This class contains logic
|
||||
* to create/update/delete the associated Flitter-Auth Oauth2Client
|
||||
* instance.
|
||||
*/
|
||||
class ClientModel extends Model {
|
||||
static get services() {
|
||||
return [...super.services, 'models']
|
||||
}
|
||||
|
||||
static get schema() {
|
||||
return {
|
||||
name: String,
|
||||
uuid: {type: String, default: uuid},
|
||||
secret: {type: String, default: uuid},
|
||||
active: {type: Boolean, default: true},
|
||||
api_scopes: [String],
|
||||
redirect_url: String,
|
||||
}
|
||||
}
|
||||
|
||||
can(scope) {
|
||||
return this.api_scopes.includes()
|
||||
}
|
||||
|
||||
async application() {
|
||||
const Application = this.models.get('Application')
|
||||
return Application.findOne({ active: true, oauth_client_ids: this.id })
|
||||
}
|
||||
|
||||
async update_auth_client() {
|
||||
const Oauth2Client = this.models.get('auth::Oauth2Client')
|
||||
let client = await Oauth2Client.findOne({ clientID: this.uuid })
|
||||
|
||||
// There's an associated client, but we're not active, so delete the assoc
|
||||
if ( client && !this.active ) {
|
||||
await client.delete()
|
||||
return
|
||||
}
|
||||
|
||||
if ( !client ) {
|
||||
client = new Oauth2Client({
|
||||
grants: ['authorization_code'],
|
||||
})
|
||||
}
|
||||
|
||||
client.clientID = this.uuid
|
||||
client.clientSecret = this.secret
|
||||
client.name = this.name
|
||||
client.redirectUris = [this.redirect_url]
|
||||
await client.save()
|
||||
}
|
||||
|
||||
async save() {
|
||||
await super.save()
|
||||
|
||||
// Save the associated flitter-auth-compatible client.
|
||||
await this.update_auth_client()
|
||||
}
|
||||
|
||||
async to_api() {
|
||||
return {
|
||||
id: this.id,
|
||||
name: this.name,
|
||||
uuid: this.uuid,
|
||||
secret: this.secret,
|
||||
api_scopes: this.api_scopes,
|
||||
redirect_url: this.redirect_url,
|
||||
}
|
||||
}
|
||||
|
||||
// See flitter-auth/User
|
||||
_array_allow_permission(array_of_permissions, permission) {
|
||||
const permission_parts = permission.split(':')
|
||||
|
||||
for ( let i = permission_parts.length; i > 0; i-- ) {
|
||||
const permission_string = permission_parts.slice(0, i).join(':')
|
||||
if ( array_of_permissions.includes(permission_string) ) return true
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
// See flitter-auth/User
|
||||
can(scope){
|
||||
return this._array_allow_permission(this.api_scopes, scope)
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = ClientModel
|
@ -0,0 +1,60 @@
|
||||
const { Middleware } = require('libflitter')
|
||||
|
||||
class APIRouteMiddleware extends Middleware {
|
||||
static get services() {
|
||||
return [...super.services, 'models']
|
||||
}
|
||||
|
||||
async test(req, res, next, { allow_token = true, allow_user = true }) {
|
||||
// First, check if there is a user in the session.
|
||||
if ( allow_user && req.is_auth ) {
|
||||
return next()
|
||||
} else if ( allow_token ) {
|
||||
return req.app.oauth2.authorise()(req, res, async e => {
|
||||
if ( e ) return next(e)
|
||||
// Look up the OAuth2 client an inject it into the route
|
||||
if ( req.user && req.user.id ) {
|
||||
const User = this.models.get('auth:User')
|
||||
const user = await User.findById(req.user.id)
|
||||
if ( !user )
|
||||
return res.status(401)
|
||||
.message('The user this token is associated with no longer exists.')
|
||||
.api()
|
||||
|
||||
req.user = user
|
||||
req.is_auth = true
|
||||
|
||||
// Look up the token and the associated client
|
||||
const Oauth2BearerToken = this.models.get('auth::Oauth2BearerToken')
|
||||
const Client = this.models.get('oauth:Client')
|
||||
|
||||
// e.g. "Bearer XYZ".split(' ')[1] -> "XYZ"
|
||||
const bearer = req.headers.authorization.split(' ')[1]
|
||||
const token = await Oauth2BearerToken.findOne({ accessToken: bearer })
|
||||
if ( !token )
|
||||
return res.status(401)
|
||||
.message('Unable to lookup OAuth2 token.')
|
||||
.api()
|
||||
|
||||
const client = await Client.findOne({uuid: token.clientID})
|
||||
if ( !client )
|
||||
return res.status(401)
|
||||
.message('This OAuth2 client is no longer authorized.')
|
||||
.api()
|
||||
|
||||
req.oauth.token = token
|
||||
req.oauth.client = client
|
||||
} else
|
||||
return res.status(401)
|
||||
.message('Unable to lookup user associated with that token.')
|
||||
.api()
|
||||
|
||||
next()
|
||||
})
|
||||
}
|
||||
|
||||
return res.status(401).api()
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = APIRouteMiddleware
|
@ -0,0 +1,41 @@
|
||||
const app_routes = {
|
||||
prefix: '/api/v1/applications',
|
||||
|
||||
middleware: [
|
||||
'auth:APIRoute',
|
||||
],
|
||||
|
||||
get: {
|
||||
'/': [
|
||||
['middleware::api:Permission', { check: 'v1:applications:list' }],
|
||||
'controller::api:v1:App.get_applications',
|
||||
],
|
||||
'/:id': [
|
||||
['middleware::api:Permission', { check: 'v1:applications:get' }],
|
||||
'controller::api:v1:App.get_application',
|
||||
],
|
||||
},
|
||||
|
||||
post: {
|
||||
'/': [
|
||||
['middleware::api:Permission', { check: 'v1:applications:create' }],
|
||||
'controller::api:v1:App.create_application',
|
||||
],
|
||||
},
|
||||
|
||||
patch: {
|
||||
'/:id': [
|
||||
['middleware::api:Permission', { check: 'v1:applications:update' }],
|
||||
'controller::api:v1:App.update_application',
|
||||
],
|
||||
},
|
||||
|
||||
delete: {
|
||||
'/:id': [
|
||||
['middleware::api:Permission', { check: 'v1:applications:delete' }],
|
||||
'controller::api:v1:App.delete_application',
|
||||
],
|
||||
},
|
||||
}
|
||||
|
||||
module.exports = exports = app_routes
|
@ -0,0 +1,49 @@
|
||||
const iam_routes = {
|
||||
prefix: '/api/v1/iam',
|
||||
|
||||
middleware: [
|
||||
'auth:APIRoute'
|
||||
],
|
||||
|
||||
get: {
|
||||
'/policy': [
|
||||
['middleware::api:Permission', { check: 'v1:iam:policy:list' }],
|
||||
'controller::api:v1:IAM.get_policies',
|
||||
],
|
||||
'/policy/:id': [
|
||||
['middleware::api:Permission', { check: 'v1:iam:policy:get' }],
|
||||
'controller::api:v1:IAM.get_policy',
|
||||
],
|
||||
},
|
||||
|
||||
post: {
|
||||
'/policy': [
|
||||
['middleware::api:Permission', { check: 'v1:iam:policy:create' }],
|
||||
'controller::api:v1:IAM.create_policy',
|
||||
],
|
||||
'/check_entity_access': [
|
||||
['middleware::api:Permission', { check: 'v1:iam:check_entity_access' }],
|
||||
'controller::api:v1:IAM.check_entity_access',
|
||||
],
|
||||
'/check_user_access': [
|
||||
['middleware::api:Permission', { check: 'v1:iam:check_user_access' }],
|
||||
'controller::api:v1:IAM.check_user_access',
|
||||
],
|
||||
},
|
||||
|
||||
patch: {
|
||||
'/policy/:id': [
|
||||
['middleware::api:Permission', { check: 'v1:iam:policy:update' }],
|
||||
'controller::api:v1:IAM.update_policy',
|
||||
],
|
||||
},
|
||||
|
||||
delete: {
|
||||
'/policy/:id': [
|
||||
['middleware::api:Permission', { check: 'v1:iam:policy:delete' }],
|
||||
'controller::api:v1:IAM.delete_policy',
|
||||
],
|
||||
},
|
||||
}
|
||||
|
||||
module.exports = exports = iam_routes
|
@ -0,0 +1,41 @@
|
||||
const oauth_routes = {
|
||||
prefix: '/api/v1/oauth',
|
||||
|
||||
middleware: [
|
||||
'auth:APIRoute',
|
||||
],
|
||||
|
||||
get: {
|
||||
'/clients': [
|
||||
['middleware::api:Permission', { check: 'v1:oauth:clients:list' }],
|
||||
'controller::api:v1:OAuth.get_clients',
|
||||
],
|
||||
'/clients/:id': [
|
||||
['middleware::api:Permission', { check: 'v1:oauth:clients:get' }],
|
||||
'controller::api:v1:OAuth.get_client',
|
||||
],
|
||||
},
|
||||
|
||||
post: {
|
||||
'/clients': [
|
||||
['middleware::api:Permission', { check: 'v1:oauth:clients:create' }],
|
||||
'controller::api:v1:OAuth.create_client',
|
||||
],
|
||||
},
|
||||
|
||||
patch: {
|
||||
'/clients/:id': [
|
||||
['middleware::api:Permission', { check: 'v1:oauth:clients:update' }],
|
||||
'controller::api:v1:OAuth.update_client',
|
||||
],
|
||||
},
|
||||
|
||||
delete: {
|
||||
'/clients/:id': [
|
||||
['middleware::api:Permission', { check: 'v1:oauth:clients:delete' }],
|
||||
'controller::api:v1:OAuth.delete_client',
|
||||
],
|
||||
},
|
||||
}
|
||||
|
||||
module.exports = exports = oauth_routes
|
@ -0,0 +1,50 @@
|
||||
const reflect_routes = {
|
||||
prefix: '/api/v1/reflect',
|
||||
|
||||
middleware: [
|
||||
'auth:APIRoute'
|
||||
],
|
||||
|
||||
get: {
|
||||
'/scopes': [
|
||||
['middleware::api:Permission', { check: 'v1:reflect:scopes' }],
|
||||
'controller::api:v1:Reflect.get_scopes',
|
||||
],
|
||||
'/tokens': [
|
||||
['middleware::api:Permission', { check: 'v1:reflect:tokens:list' }],
|
||||
'controller::api:v1:Reflect.get_tokens',
|
||||
],
|
||||
'/tokens/:id': [
|
||||
['middleware::api:Permission', { check: 'v1:reflect:tokens:get' }],
|
||||
'controller::api:v1:Reflect.get_token',
|
||||
],
|
||||
},
|
||||
|
||||
post: {
|
||||
'/tokens': [
|
||||
['middleware::api:Permission', { check: 'v1:reflect:tokens:create'}],
|
||||
'controller::api:v1:Reflect.create_token',
|
||||
],
|
||||
|
||||
'/check_permissions': [
|
||||
['middleware::api:Permission', { check: 'v1:reflect:check_permissions' }],
|
||||
'controller::api:v1:Reflect.check_permissions',
|
||||
],
|
||||
},
|
||||
|
||||
patch: {
|
||||
'/tokens/:id': [
|
||||
['middleware::api:Permission', { check: 'v1:reflect:tokens:update' }],
|
||||
'controller::api:v1:Reflect.update_token',
|
||||
],
|
||||
},
|
||||
|
||||
delete: {
|
||||
'/tokens/:id': [
|
||||
['middleware::api:Permission', { check: 'v1:reflect:tokens:delete' }],
|
||||
'controller::api:v1:Reflect.delete_token',
|
||||
],
|
||||
},
|
||||
}
|
||||
|
||||
module.exports = exports = reflect_routes
|
Loading…
Reference in new issue