UNPKG

keycloak-lambda-authorizer

Version:
85 lines 4.12 kB
"use strict"; var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } return new (P || (P = Promise))(function (resolve, reject) { function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } step((generator = generator.apply(thisArg, _arguments || [])).next()); }); }; Object.defineProperty(exports, "__esModule", { value: true }); exports.DefaultResourceChecker = void 0; class DefaultResourceChecker { constructor(options) { this.options = options; } buildUri(resourceObject) { return Object.entries(resourceObject).map(([key, value]) => `${key}=${value}`).join('&'); } getResource(requestContent, resourceObject) { return __awaiter(this, void 0, void 0, function* () { const { realm, resource } = yield this.options.keycloakJson(this.options, requestContent); const key = `${realm}:${resource}${JSON.stringify(resourceObject)}`; const { cache } = this.options; let resources = yield cache.get('resource', key); // eslint-disable-next-line no-negated-condition if (!resources) { const umaResponse = yield this.options.umaConfiguration .getUma2Configuration(requestContent); const resourceRegistrationEndpoint = `${umaResponse.resource_registration_endpoint}?${this.buildUri(resourceObject)}`; const serviceToken = yield this.options.serviceAccount .getServiceAccountToken(requestContent); const res = yield this.options.restClient.fetchData(resourceRegistrationEndpoint, 'GET', { Authorization: `Bearer ${serviceToken}`, }); resources = JSON.parse(res); yield cache.put('resource', key, JSON.stringify(resources)); } else { resources = JSON.parse(resources); } return resources; }); } matchResource(requestContent, enforcer) { return __awaiter(this, void 0, void 0, function* () { if (!enforcer) { throw new Error('enforcer does not exists'); } const permissions = enforcer.resources || []; if (enforcer.resource) { permissions.push(enforcer.resource); } let resources = []; for (let i = 0; i < permissions.length; i++) { const resourceJson = yield this.getResource(requestContent, permissions[i]); resources = resources.concat(resourceJson); } let { payload } = requestContent.token; if (!payload.authorization) { const tkn = yield this.options.clientAuthorization.getRPT(requestContent, enforcer); // eslint-disable-next-line require-atomic-updates payload = tkn.decodedAccessToken; } let permission; const resource = resources.find((resId) => { const { authorization } = payload; if (authorization.permissions) { permission = authorization.permissions.find((p) => p.rsid === resId); } return permission; }); let hasScope = true; if (resource) { hasScope = !permissions.find((p) => p.scope) || permissions.every((p) => permission.scopes.includes(p.scope)); } if (!resource || !hasScope) { throw new Error('Access is denied'); } }); } } exports.DefaultResourceChecker = DefaultResourceChecker; //# sourceMappingURL=Resource.js.map