Merge pull request #703 from ckpaliwal/console-api-fix

api fixes for allow to generate token for reader and writer roles and…
hyperledger-labs · May 10, 2024 · 15ab660 · 15ab660
2 parents 312b26e + cb5dc94
commit 15ab660
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 18 deletions.
diff --git a/packages/apollo/src/components/AddUserModal/AddUserModal.js b/packages/apollo/src/components/AddUserModal/AddUserModal.js
@@ -198,7 +198,7 @@ export class AddUserModal extends Component {
 							submitting: false,
 							error: {
 								title: 'error_add_users',
-								details: error.msg ? error.msg : error,
+								details: error.message ? error.message : error,
 							},
 						});
 					});

diff --git a/packages/athena/libs/middleware/middleware.js b/packages/athena/libs/middleware/middleware.js
@@ -94,6 +94,10 @@ module.exports = function (logger, ev, t) {
 	exports.verify_apiKey_action_session = [eTrack, blockReadOnlyMode, needApiKeyAction, checkAuthentication, permitAction];
 	exports.verify_apiKey_action_ak = [eTrack, blockReadOnlyMode, needApiKeyAction, allowAkToDoAction];
 
+	// manage generate bearer token using api key
+	exports.verify_apiKey_bearer_action_session = [eTrack, blockReadOnlyMode, needViewAction, checkAuthentication, permitAction];
+	exports.verify_apiKey_bearer_action_ak = [eTrack, blockReadOnlyMode, needViewAction, allowAkToDoAction];
+
 	// manage notifications
 	exports.verify_notifications_action_session = [eTrack, needNotificationAction, checkAuthentication, permitAction];
 	exports.verify_notifications_action_ak = [eTrack, needNotificationAction, allowAkToDoAction];
@@ -292,7 +296,6 @@ module.exports = function (logger, ev, t) {
 				return exports.unauthorized(res);
 			} else {
 				req.using_api_key = user.name;
-
 				// [1] - check if using support key
 				if (user.name === ev.SUPPORT_KEY) {
 					if (!validSupportKey(req)) {									// check the support key first
@@ -341,7 +344,6 @@ module.exports = function (logger, ev, t) {
 							return exports.unauthorized(res);
 						} else {
 							const valid_secret = t.misc.verify_secret(user.pass, doc.salt, doc.hashed_secret);
-
 							if (!valid_secret) {											// invalid secret
 								logger.error('[middle] invalid api key secret for api key id:', user.name);
 								return exports.unauthorized(res);

diff --git a/packages/athena/libs/permissions_lib.js b/packages/athena/libs/permissions_lib.js
@@ -101,7 +101,7 @@ module.exports = function (logger, ev, t) {
 
 				if (input_errors.length >= 1) {
 					logger.error('[permissions] cannot add these users. bad input:', input_errors);
-					cb({ statusCode: 400, msg: input_errors, }, null);
+					cb({ statusCode: 400, message: input_errors, }, null);
 				} else {
 					const usernames = Object.keys(req.body.users);
 					const censored = [];
@@ -126,13 +126,13 @@ module.exports = function (logger, ev, t) {
 					}, (err_writeDoc) => {
 						if (err_writeDoc) {
 							logger.error('[permissions] cannot edit settings doc to add users:', err_writeDoc);
-							cb({ statusCode: 500, msg: 'could not update settings doc', details: err_writeDoc }, null);
+							cb({ statusCode: 500, message: 'could not update settings doc', details: err_writeDoc }, null);
 						} else {
 							logger.info('[permissions] adding users - success');
 
 							ev.update(null, err => {								// reload ev settings
 								if (err) {
-									return cb({ statusCode: 500, msg: 'could not update config settings' }, null);
+									return cb({ statusCode: 500, message: 'could not update config settings' }, null);
 								} else {
 									cb(null, { message: 'ok' });					// all good
 								}
@@ -784,11 +784,24 @@ module.exports = function (logger, ev, t) {
 		const parsed_auth = t.auth_header_lib.parse_auth(req);
 		const lc_username = (parsed_auth && parsed_auth.name) ? parsed_auth.name.toLowerCase() : null;
 
-		// init roles as manager, else use the ones provided
 		if (!Array.isArray(roles) || roles.length === 0) {
-			roles = [ev.STR.MANAGER_ROLE, ev.STR.WRITER_ROLE, ev.STR.READER_ROLE];
+			t.otcc.getDoc({									// find the api key, its id should be in the username field
+				db_name: ev.DB_SYSTEM,
+				_id: parsed_auth.name,
+			}, (err, doc) => {
+				if (err || !doc) {													// invalid username
+					logger.error(`[permissions] problem getting the api key doc for key id ${parsed_auth.name}`);
+					return cb(err);
+				}
+				return create_token_doc(req, lc_username, doc.roles, expiration_secs, cb);
+			});
+		} else {
+			return create_token_doc(req, lc_username, roles, expiration_secs, cb);
 		}
 
+	};
+
+	const create_token_doc = (req, lc_username, roles, expiration_secs, cb) => {
 		const access_token_doc = exports.generate_access_token(lc_username, roles, expiration_secs);
 
 		// build a notification doc

diff --git a/packages/athena/routes/permission_apis.js b/packages/athena/routes/permission_apis.js
@@ -145,7 +145,7 @@ module.exports = function (logger, ev, t) {
 	//--------------------------------------------------
 	// Get all api keys from the db
 	//--------------------------------------------------
-	app.get('/api/v[123]/permissions/keys', t.middleware.verify_view_action_session, (req, res) => {
+	app.get('/api/v[123]/permissions/keys', t.middleware.verify_apiKey_action_session, (req, res) => {
 		t.permissions_lib.get_api_keys(req, (err, ret) => {
 			if (err) {
 				return res.status(t.ot_misc.get_code(err)).json(err);
@@ -154,7 +154,8 @@ module.exports = function (logger, ev, t) {
 			}
 		});
 	});
-	app.get('/ak/api/v[123]/permissions/keys', t.middleware.verify_view_action_ak, (req, res) => {
+
+	app.get('/ak/api/v[123]/permissions/keys', t.middleware.verify_apiKey_action_ak, (req, res) => {
 		t.permissions_lib.get_api_keys(req, (err, ret) => {
 			if (err) {
 				return res.status(t.ot_misc.get_code(err)).json(err);
@@ -264,10 +265,10 @@ module.exports = function (logger, ev, t) {
 	//--------------------------------------------------
 	// Store/create a access token  in the database (aka bearer token)
 	//--------------------------------------------------
-	app.post('/api/v3/identity/token', t.middleware.verify_apiKey_action_session, (req, res) => {
+	app.post('/api/v3/identity/token', t.middleware.verify_apiKey_bearer_action_session, (req, res) => {
 		exchange_for_token(req, res);
 	});
-	app.post('/ak/api/v3/identity/token', t.middleware.verify_apiKey_action_ak, (req, res) => {
+	app.post('/ak/api/v3/identity/token', t.middleware.verify_apiKey_bearer_action_ak, (req, res) => {
 		exchange_for_token(req, res);
 	});
 

diff --git a/packages/athena/test/test-suites/routes/permission_apis.test.js b/packages/athena/test/test-suites/routes/permission_apis.test.js
@@ -234,15 +234,15 @@ describe('Permission APIs', () => {
 					common.ev.AUTH_SCHEME = 'appid';
 					const settings = JSON.parse(JSON.stringify(auth_scheme_objects.athena_system));
 					tools.stubs.getDoc.callsArgWith(1, null, settings);
-					tools.stubs.repeatWriteSafe.callsArgWith(2, { statusCode: 500, msg: 'problem adding users' });
+					tools.stubs.repeatWriteSafe.callsArgWith(2, { statusCode: 500, message: 'problem adding users' });
 				},
 				expectBlock: (res) => {
 					expect(res.status).to.equal(500);
 					expect(JSON.stringify(res.body)).to.equal(
 						JSON.stringify({
 							'statusCode': 500,
-							'msg': 'could not update settings doc',
-							'details': { 'statusCode': 500, 'msg': 'problem adding users' }
+							'message': 'could not update settings doc',
+							'details': { 'statusCode': 500, 'message': 'problem adding users' }
 						})
 					);
 				}
@@ -266,11 +266,11 @@ describe('Permission APIs', () => {
 					const settings = JSON.parse(JSON.stringify(auth_scheme_objects.athena_system));
 					tools.stubs.getDoc.callsArgWith(1, null, settings);
 					tools.stubs.repeatWriteSafe.callsArgWith(2, null);
-					tools.stubs.update.callsArgWith(1, { statusCode: 500, msg: 'problem updating' });
+					tools.stubs.update.callsArgWith(1, { statusCode: 500, message: 'problem updating' });
 				},
 				expectBlock: (res) => {
 					expect(res.status).to.equal(500);
-					expect(JSON.stringify(res.body)).to.equal(JSON.stringify({ 'statusCode': 500, 'msg': 'could not update config settings' }));
+					expect(JSON.stringify(res.body)).to.equal(JSON.stringify({ 'statusCode': 500, 'message': 'could not update config settings' }));
 				}
 			},
 			{
@@ -304,7 +304,7 @@ describe('Permission APIs', () => {
 				expectBlock: (res) => {
 					expect(res.status).to.equal(400);
 					expect(JSON.stringify(res.body)).to.equal(JSON.stringify({
-						'statusCode': 400, 'msg': [
+						'statusCode': 400, 'message': [
 							'username cannot contain a colon: this:is:invalid',
 							'username cannot be less than 6 characters: bad',
 							'username cannot be greater than 64 characters: invalid-invalid-...',