From aa71615cf9a952b5db3dc4d545c2462e3ae70ebc Mon Sep 17 00:00:00 2001 From: Chandra Kant Paliwal Date: Wed, 8 May 2024 18:17:55 +0530 Subject: [PATCH 1/2] api fixes for allow to generate token for reader and writer roles and update message key Signed-off-by: Chandra Kant Paliwal --- .../components/AddUserModal/AddUserModal.js | 2 +- packages/athena/libs/middleware/middleware.js | 6 +++-- packages/athena/libs/permissions_lib.js | 23 +++++++++++++++---- packages/athena/routes/permission_apis.js | 9 ++++---- 4 files changed, 28 insertions(+), 12 deletions(-) diff --git a/packages/apollo/src/components/AddUserModal/AddUserModal.js b/packages/apollo/src/components/AddUserModal/AddUserModal.js index 61b62861..6787f93a 100644 --- a/packages/apollo/src/components/AddUserModal/AddUserModal.js +++ b/packages/apollo/src/components/AddUserModal/AddUserModal.js @@ -198,7 +198,7 @@ export class AddUserModal extends Component { submitting: false, error: { title: 'error_add_users', - details: error.msg ? error.msg : error, + details: error.message ? error.message : error, }, }); }); diff --git a/packages/athena/libs/middleware/middleware.js b/packages/athena/libs/middleware/middleware.js index c6c9b313..ddeac180 100644 --- a/packages/athena/libs/middleware/middleware.js +++ b/packages/athena/libs/middleware/middleware.js @@ -94,6 +94,10 @@ module.exports = function (logger, ev, t) { exports.verify_apiKey_action_session = [eTrack, blockReadOnlyMode, needApiKeyAction, checkAuthentication, permitAction]; exports.verify_apiKey_action_ak = [eTrack, blockReadOnlyMode, needApiKeyAction, allowAkToDoAction]; + // manage generate bearer token using api key + exports.verify_apiKey_bearer_action_session = [eTrack, blockReadOnlyMode, needViewAction, checkAuthentication, permitAction]; + exports.verify_apiKey_bearer_action_ak = [eTrack, blockReadOnlyMode, needViewAction, allowAkToDoAction]; + // manage notifications exports.verify_notifications_action_session = [eTrack, needNotificationAction, checkAuthentication, permitAction]; exports.verify_notifications_action_ak = [eTrack, needNotificationAction, allowAkToDoAction]; @@ -292,7 +296,6 @@ module.exports = function (logger, ev, t) { return exports.unauthorized(res); } else { req.using_api_key = user.name; - // [1] - check if using support key if (user.name === ev.SUPPORT_KEY) { if (!validSupportKey(req)) { // check the support key first @@ -341,7 +344,6 @@ module.exports = function (logger, ev, t) { return exports.unauthorized(res); } else { const valid_secret = t.misc.verify_secret(user.pass, doc.salt, doc.hashed_secret); - if (!valid_secret) { // invalid secret logger.error('[middle] invalid api key secret for api key id:', user.name); return exports.unauthorized(res); diff --git a/packages/athena/libs/permissions_lib.js b/packages/athena/libs/permissions_lib.js index acd45424..bc026e0a 100644 --- a/packages/athena/libs/permissions_lib.js +++ b/packages/athena/libs/permissions_lib.js @@ -101,7 +101,7 @@ module.exports = function (logger, ev, t) { if (input_errors.length >= 1) { logger.error('[permissions] cannot add these users. bad input:', input_errors); - cb({ statusCode: 400, msg: input_errors, }, null); + cb({ statusCode: 400, message: input_errors, }, null); } else { const usernames = Object.keys(req.body.users); const censored = []; @@ -126,13 +126,13 @@ module.exports = function (logger, ev, t) { }, (err_writeDoc) => { if (err_writeDoc) { logger.error('[permissions] cannot edit settings doc to add users:', err_writeDoc); - cb({ statusCode: 500, msg: 'could not update settings doc', details: err_writeDoc }, null); + cb({ statusCode: 500, message: 'could not update settings doc', details: err_writeDoc }, null); } else { logger.info('[permissions] adding users - success'); ev.update(null, err => { // reload ev settings if (err) { - return cb({ statusCode: 500, msg: 'could not update config settings' }, null); + return cb({ statusCode: 500, message: 'could not update config settings' }, null); } else { cb(null, { message: 'ok' }); // all good } @@ -784,11 +784,24 @@ module.exports = function (logger, ev, t) { const parsed_auth = t.auth_header_lib.parse_auth(req); const lc_username = (parsed_auth && parsed_auth.name) ? parsed_auth.name.toLowerCase() : null; - // init roles as manager, else use the ones provided if (!Array.isArray(roles) || roles.length === 0) { - roles = [ev.STR.MANAGER_ROLE, ev.STR.WRITER_ROLE, ev.STR.READER_ROLE]; + t.otcc.getDoc({ // find the api key, its id should be in the username field + db_name: ev.DB_SYSTEM, + _id: parsed_auth.name, + }, (err, doc) => { + if (err || !doc) { // invalid username + logger.error(`[permissions] problem getting the api key doc for key id ${parsed_auth.name}`); + return cb(err); + } + return create_token_doc(req, lc_username, doc.roles, expiration_secs, cb); + }); + } else { + return create_token_doc(req, lc_username, roles, expiration_secs, cb); } + }; + + const create_token_doc = (req, lc_username, roles, expiration_secs, cb) => { const access_token_doc = exports.generate_access_token(lc_username, roles, expiration_secs); // build a notification doc diff --git a/packages/athena/routes/permission_apis.js b/packages/athena/routes/permission_apis.js index 3527e4b6..5f879e4d 100644 --- a/packages/athena/routes/permission_apis.js +++ b/packages/athena/routes/permission_apis.js @@ -145,7 +145,7 @@ module.exports = function (logger, ev, t) { //-------------------------------------------------- // Get all api keys from the db //-------------------------------------------------- - app.get('/api/v[123]/permissions/keys', t.middleware.verify_view_action_session, (req, res) => { + app.get('/api/v[123]/permissions/keys', t.middleware.verify_apiKey_action_session, (req, res) => { t.permissions_lib.get_api_keys(req, (err, ret) => { if (err) { return res.status(t.ot_misc.get_code(err)).json(err); @@ -154,7 +154,8 @@ module.exports = function (logger, ev, t) { } }); }); - app.get('/ak/api/v[123]/permissions/keys', t.middleware.verify_view_action_ak, (req, res) => { + + app.get('/ak/api/v[123]/permissions/keys', t.middleware.verify_apiKey_action_ak, (req, res) => { t.permissions_lib.get_api_keys(req, (err, ret) => { if (err) { return res.status(t.ot_misc.get_code(err)).json(err); @@ -264,10 +265,10 @@ module.exports = function (logger, ev, t) { //-------------------------------------------------- // Store/create a access token in the database (aka bearer token) //-------------------------------------------------- - app.post('/api/v3/identity/token', t.middleware.verify_apiKey_action_session, (req, res) => { + app.post('/api/v3/identity/token', t.middleware.verify_apiKey_bearer_action_session, (req, res) => { exchange_for_token(req, res); }); - app.post('/ak/api/v3/identity/token', t.middleware.verify_apiKey_action_ak, (req, res) => { + app.post('/ak/api/v3/identity/token', t.middleware.verify_apiKey_bearer_action_ak, (req, res) => { exchange_for_token(req, res); }); From cb5dc94800aa79ba72ff642b664232186a8ebce1 Mon Sep 17 00:00:00 2001 From: Chandra Kant Paliwal Date: Wed, 8 May 2024 20:06:07 +0530 Subject: [PATCH 2/2] update test case for handle error message key updation Signed-off-by: Chandra Kant Paliwal --- .../test/test-suites/routes/permission_apis.test.js | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/athena/test/test-suites/routes/permission_apis.test.js b/packages/athena/test/test-suites/routes/permission_apis.test.js index 21e60b99..14254e63 100644 --- a/packages/athena/test/test-suites/routes/permission_apis.test.js +++ b/packages/athena/test/test-suites/routes/permission_apis.test.js @@ -234,15 +234,15 @@ describe('Permission APIs', () => { common.ev.AUTH_SCHEME = 'appid'; const settings = JSON.parse(JSON.stringify(auth_scheme_objects.athena_system)); tools.stubs.getDoc.callsArgWith(1, null, settings); - tools.stubs.repeatWriteSafe.callsArgWith(2, { statusCode: 500, msg: 'problem adding users' }); + tools.stubs.repeatWriteSafe.callsArgWith(2, { statusCode: 500, message: 'problem adding users' }); }, expectBlock: (res) => { expect(res.status).to.equal(500); expect(JSON.stringify(res.body)).to.equal( JSON.stringify({ 'statusCode': 500, - 'msg': 'could not update settings doc', - 'details': { 'statusCode': 500, 'msg': 'problem adding users' } + 'message': 'could not update settings doc', + 'details': { 'statusCode': 500, 'message': 'problem adding users' } }) ); } @@ -266,11 +266,11 @@ describe('Permission APIs', () => { const settings = JSON.parse(JSON.stringify(auth_scheme_objects.athena_system)); tools.stubs.getDoc.callsArgWith(1, null, settings); tools.stubs.repeatWriteSafe.callsArgWith(2, null); - tools.stubs.update.callsArgWith(1, { statusCode: 500, msg: 'problem updating' }); + tools.stubs.update.callsArgWith(1, { statusCode: 500, message: 'problem updating' }); }, expectBlock: (res) => { expect(res.status).to.equal(500); - expect(JSON.stringify(res.body)).to.equal(JSON.stringify({ 'statusCode': 500, 'msg': 'could not update config settings' })); + expect(JSON.stringify(res.body)).to.equal(JSON.stringify({ 'statusCode': 500, 'message': 'could not update config settings' })); } }, { @@ -304,7 +304,7 @@ describe('Permission APIs', () => { expectBlock: (res) => { expect(res.status).to.equal(400); expect(JSON.stringify(res.body)).to.equal(JSON.stringify({ - 'statusCode': 400, 'msg': [ + 'statusCode': 400, 'message': [ 'username cannot contain a colon: this:is:invalid', 'username cannot be less than 6 characters: bad', 'username cannot be greater than 64 characters: invalid-invalid-...',