Starship/CoreID
1
0
Fork 0
Code Issues 8 Pull Requests Releases 34 Wiki Activity

Implement OAuth2 server, link oauth:Client and auth::Oauth2Client, implement permission checks

Browse Source
This commit is contained in:
garrettmills
2020-05-16 23:55:08 -05:00
parent 6f621f5891
commit d558f21375
51 changed files with 2808 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
app/models/Application.model.js Normal file
View File

@@ -0,0 +1,29 @@
const { Model } = require('flitter-orm')
class ApplicationModel extends Model {
static get schema() {
return {
name: String,
identifier: String,
description: String,
active: { type: Boolean, default: true },
saml_service_provider_ids: [String],
ldap_client_ids: [String],
oauth_client_ids: [String],
}
}
async to_api() {
return {
id: this.id,
name: this.name,
identifier: this.identifier,
description: this.description,
saml_service_provider_ids: this.saml_service_provider_ids,
ldap_client_ids: this.ldap_client_ids,
oauth_client_ids: this.oauth_client_ids,
}
}
}
module.exports = exports = ApplicationModel

35
app/models/auth/Group.model.js Normal file
View File

@@ -0,0 +1,35 @@
const { Model } = require('flitter-orm')
// For organizational purposes only.
class GroupModel extends Model {
static get services() {
return [...super.services, 'models']
}
static get schema() {
return {
name: String,
user_ids: [String],
active: { type: Boolean, default: true },
}
}
identifier() {
return this.name.toLowerCase().replace(/\s/g, '_')
}
async users() {
const User = this.models.get('auth:User')
return await User.find({ _id: { $in: this.user_ids.map(x => this.constructor.to_object_id(x)) } })
}
async to_api() {
return {
id: this.id,
name: this.name,
user_ids: this.user_ids,
}
}
}
module.exports = exports = GroupModel

7
app/models/auth/User.model.js
View File

@@ -31,6 +31,7 @@ class User extends AuthUser {
app_passwords: [AppPassword],
mfa_enabled: {type: Boolean, default: false},
mfa_enable_date: Date,
create_date: {type: Date, default: () => new Date},
}}
}
@@ -42,6 +43,7 @@ class User extends AuthUser {
last_name: this.last_name,
email: this.email,
tagline: this.tagline,
group_ids: (await this.groups()).map(x => x.id),
}
}
@@ -112,6 +114,11 @@ class User extends AuthUser {
return { password: gen, record: pw }
}
async groups() {
const Group = this.models.get('auth:Group')
return Group.find({ active: true, user_ids: this.id })
}
async ldap_groups() {
const Group = this.models.get('ldap:Group')
return await Group.find({

127
app/models/iam/Policy.model.js Normal file
View File

@@ -0,0 +1,127 @@
const { Model } = require('flitter-orm')
// TODO - remove specific :create checks; auto-grant permissions on create
class PolicyModel extends Model {
static get services() {
return [...super.services, 'models']
}
static get schema() {
return {
entity_type: String, // user | group
entity_id: String,
access_type: String, // allow | deny
target_type: { type: String, default: 'application' }, // application
target_id: String,
active: { type: Boolean, default: true },
}
}
static async check_allow(entity_id, target_id) {
const policies = await this.find({
entity_id,
target_id,
access_type: 'allow',
active: true,
})
return policies.length > 0
}
static async check_deny(entity_id, target_id) {
const policies = await this.find({
entity_id,
target_id,
access_type: 'deny',
active: true,
})
return policies.length === 0
}
static async check_entity_access(entity_id, target_id) {
return (await this.check_allow(entity_id, target_id)) && !(await this.check_deny(entity_id, target_id))
}
static async check_user_access(user, target_id) {
const groups = await user.groups()
const group_ids = groups.map(x => x.id)
const user_approvals = await this.find({
entity_id: user.id,
target_id,
approval_type: 'allow',
active: true,
})
const user_denials = await this.find({
entity_id: user.id,
target_id,
approval_type: 'deny',
active: true,
})
const group_approvals = await this.find({
entity_id: { $in: group_ids },
target_id,
approval_type: 'allow',
active: true,
})
const group_denials = await this.find({
entity_id: { $in: group_ids },
target_id,
approval_type: 'deny',
active: true,
})
// IF user has explicit denial, deny
if ( user_denials.length > 0 ) return false
// ELSE IF user has explicit approval, approve
if ( user_approvals.length > 0 ) return true
// ELSE IF group has denial, deny
if ( group_denials.length > 0 ) return false
// ELSE IF group has approval, approve
if ( group_approvals.length > 0 ) return true
// ELSE deny
return false
}
async to_api() {
let entity_display = ''
if ( this.entity_type === 'user' ) {
const User = this.models.get('auth:User')
const user = await User.findById(this.entity_id)
entity_display = `User: ${user.last_name}, ${user.first_name} (${user.uid})`
} else if ( this.entity_type === 'group' ) {
const Group = this.models.get('auth:Group')
const group = await Group.findById(this.entity_id)
entity_display = `Group: ${group.name} (${group.user_ids.length} users)`
}
let target_display = ''
if ( this.target_type === 'application' ) {
const Application = this.models.get('Application')
const app = await Application.findById(this.target_id)
target_display = `Application: ${app.name}`
}
return {
id: this.id,
entity_display,
entity_type: this.entity_type,
entity_id: this.entity_id,
access_type: this.access_type,
target_display,
target_type: this.target_type,
target_id: this.target_id,
}
}
}
module.exports = exports = PolicyModel

10
app/models/ldap/Client.model.js
View File

@@ -35,15 +35,23 @@ class ClientModel extends Model {
return client
}
async invoke() {
this.last_invocation = new Date
}
async user() {
const User = this.models.get('auth:User')
return User.findById(this.user_id)
}
async application() {
const Application = this.models.get('Application')
return Application.findOne({ active: true, ldap_client_ids: this.id })
}
async to_api() {
const User = this.models.get('auth:User')
const user = await User.findById(this.user_id)
const role_permissions = user.roles.map(x => this.configs.get('auth.roles')[x])
return {

95
app/models/oauth/Client.model.js Normal file
View File

@@ -0,0 +1,95 @@
const { Model } = require('flitter-orm')
const uuid = require('uuid/v4')
/*
* OAuth2 Client Model
* ---------------------------------------------------
* Represents a single OAuth2 client. This class contains logic
* to create/update/delete the associated Flitter-Auth Oauth2Client
* instance.
*/
class ClientModel extends Model {
static get services() {
return [...super.services, 'models']
}
static get schema() {
return {
name: String,
uuid: {type: String, default: uuid},
secret: {type: String, default: uuid},
active: {type: Boolean, default: true},
api_scopes: [String],
redirect_url: String,
}
}
can(scope) {
return this.api_scopes.includes()
}
async application() {
const Application = this.models.get('Application')
return Application.findOne({ active: true, oauth_client_ids: this.id })
}
async update_auth_client() {
const Oauth2Client = this.models.get('auth::Oauth2Client')
let client = await Oauth2Client.findOne({ clientID: this.uuid })
// There's an associated client, but we're not active, so delete the assoc
if ( client && !this.active ) {
await client.delete()
return
}
if ( !client ) {
client = new Oauth2Client({
grants: ['authorization_code'],
})
}
client.clientID = this.uuid
client.clientSecret = this.secret
client.name = this.name
client.redirectUris = [this.redirect_url]
await client.save()
}
async save() {
await super.save()
// Save the associated flitter-auth-compatible client.
await this.update_auth_client()
}
async to_api() {
return {
id: this.id,
name: this.name,
uuid: this.uuid,
secret: this.secret,
api_scopes: this.api_scopes,
redirect_url: this.redirect_url,
}
}
// See flitter-auth/User
_array_allow_permission(array_of_permissions, permission) {
const permission_parts = permission.split(':')
for ( let i = permission_parts.length; i > 0; i-- ) {
const permission_string = permission_parts.slice(0, i).join(':')
if ( array_of_permissions.includes(permission_string) ) return true
}
return false
}
// See flitter-auth/User
can(scope){
return this._array_allow_permission(this.api_scopes, scope)
}
}
module.exports = exports = ClientModel

9
app/models/saml/ServiceProvider.model.js
View File

@@ -1,6 +1,10 @@
const { Model } = require('flitter-orm')
class ServiceProviderModel extends Model {
static get services() {
return [...super.services, 'models']
}
static get schema() {
return {
name: String,
@@ -11,6 +15,11 @@ class ServiceProviderModel extends Model {
}
}
async application() {
const Application = this.models.get('Application')
return Application.findOne({ active: true, saml_service_provider_ids: this.id })
}
to_api() {
return {
id: this.id,