UNPKG

@flowfuse/flowfuse

Version:

An open source low-code development platform

flowfuse.com

FlowFuse/flowfuse

129 lines (124 loc) 6.66 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
const fp = require('fastify-plugin') const { Permissions } = require('../../lib/permissions') const { Roles } = require('../../lib/roles.js') // For device/project tokens, list the scopes they implicitly have. // This will allow us to add scopes to existing tokens without having to update // them (as that requires reprovisioning of devices and restaging of projects) const IMPLICIT_TOKEN_SCOPES = { device: [ 'team:projects:list', // permit a device being edited via a tunnel in developer mode to list projects 'library:entry:create', // permit a device being edited via a tunnel in developer mode to create library entries 'library:entry:list', // permit a device being edited via a tunnel in developer mode to list library entries 'broker:clients:list', // permit ff-mqtt nodes to list broker clients 'broker:clients:link', // permit ff-mqtt nodes to link broker clients 'assistant:call' // permit access to assistant ], project: [ 'user:read', 'project:flows:view', 'project:flows:edit', 'team:projects:list', 'library:entry:create', 'library:entry:list', 'broker:clients:list', 'broker:clients:link', 'assistant:call' // permit access to assistant ] } module.exports = fp(async function (app, opts) { function hasPermission (teamMembership, scope, context) { if (!teamMembership) { return false } let userRole = teamMembership.role // Granular RBAC; if the request provides an application context for the request, check against // the teamMembership.permissions object if (app.config.features.enabled('rbacApplication')) { const application = context?.application?.hashid || context?.applicationId if (application && teamMembership.permissions?.applications?.[application] !== undefined) { userRole = teamMembership.permissions.applications[application] } } const permission = Permissions[scope] return userRole >= permission.role } function needsPermission (scope) { if (!Permissions[scope]) { throw new Error(`Unrecognised scope requested: '${scope}'`) } return async (request, reply) => { if (!request.session.scope && request.session.User && request.session.User.admin) { // Admins get to have all the fun - as long as they are logged in and not // using an access-token which has a reduced scope return } // A user has permission based on: // - the resource they are accessing // - the action they want to perform // For all Team based permissions, the request should already have // request.team and request.teamMembership set const permission = Permissions[scope] if (permission.role === Roles.Admin && !request.session.User.admin && !permission.self) { // Requires admin user reply.code(403).send({ code: 'unauthorized', error: 'unauthorized' }) throw new Error() } else if (app.settings.get(scope) === false) { // Permission disabled via admin settings reply.code(403).send({ code: 'unauthorized', error: 'unauthorized' }) throw new Error() } else if (permission.role && permission.role !== Roles.Admin && (!request.session.scope || request.session.ownerType === 'user')) { // The user is required to have a role in the team associated with // this request if (!request.teamMembership) { reply.code(403).send({ code: 'unauthorized', error: 'unauthorized' }) throw new Error() } if (permission.self && (request.user && (request.user.id === request.session.User?.id))) { // This permission is permitted if the user is operating on themselves return } let userRole = request.teamMembership.role if (app.config.features.enabled('rbacApplication')) { // Granular RBAC; if the request provides an application context for the request, check against // the teamMembership.permissions object const application = request.application?.hashid || request.applicationId if (application && request.teamMembership.permissions?.applications?.[application] !== undefined) { userRole = request.teamMembership.permissions.applications[application] } } // console.log(request.url, scope, request.teamMembership.role, userRole) if (userRole < permission.role) { reply.code(403).send({ code: 'unauthorized', error: 'unauthorized' }) throw new Error() } } else if (permission.self) { // A request outside the context of a team. if (!request.session.User) { reply.code(403).send({ code: 'unauthorized', error: 'unauthorized' }) throw new Error() } if (request.user) { // This request is in the context of a user. Ensure it is the // session user if (request.user.id !== request.session.User?.id) { reply.code(403).send({ code: 'unauthorized', error: 'unauthorized' }) throw new Error() } } } if (request.session.scope) { // All things being equal, the user does have this permission // But they are using an access_token that could be scoped down // We also need to check against the list of implicit scopes for // a given token type (ie device/project) if (!request.session.scope.includes(scope) && (!IMPLICIT_TOKEN_SCOPES[request.session.ownerType] || !IMPLICIT_TOKEN_SCOPES[request.session.ownerType].includes(scope))) { reply.code(403).send({ code: 'unauthorized', error: 'unauthorized' }) throw new Error() } } } } app.decorate('hasPermission', hasPermission) app.decorate('needsPermission', needsPermission) }, { name: 'app.routes.auth.permissions' })