openam-agent-custom/dist/shield/basic-auth-shield.js

Customized ForgeRock AM Policy Agent for Node.js from Zoltan Tarcsay

"use strict";
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
    return new (P || (P = Promise))(function (resolve, reject) {
        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
        step((generator = generator.apply(thisArg, _arguments || [])).next());
    });
};
var __generator = (this && this.__generator) || function (thisArg, body) {
    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
    function verb(n) { return function (v) { return step([n, v]); }; }
    function step(op) {
        if (f) throw new TypeError("Generator is already executing.");
        while (_) try {
            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
            if (y = 0, t) op = [op[0] & 2, t.value];
            switch (op[0]) {
                case 0: case 1: t = op; break;
                case 4: _.label++; return { value: op[1], done: false };
                case 5: _.label++; y = op[1]; op = [0]; continue;
                case 7: op = _.ops.pop(); _.trys.pop(); continue;
                default:
                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
                    if (t[2]) _.ops.pop();
                    _.trys.pop(); continue;
            }
            op = body.call(thisArg, _);
        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
    }
};
Object.defineProperty(exports, "__esModule", { value: true });
var basicAuth = require("basic-auth");
var shield_evaluation_error_1 = require("../error/shield-evaluation-error");
var deferred_1 = require("../utils/deferred");
var http_utils_1 = require("../utils/http-utils");
/**
 * Shield implementation for enforcing a basic auth header. The credentials in the Authorization will be sent to OpenAM.
 * No session will be created.
 */
var BasicAuthShield = /** @class */ (function () {
    function BasicAuthShield(options) {
        this.options = options;
    }
    /**
     * The returned Promise is wrapped in a Deferred object. This is because in case of a 401 challenge, the Promise
     * must not be resolved (if the Promise is resolved, the agent treats it as success). A challenge is neither success
     * nor failure.
     */
    BasicAuthShield.prototype.evaluate = function (req, res, agent) {
        return __awaiter(this, void 0, void 0, function () {
            var user, deferred;
            return __generator(this, function (_a) {
                switch (_a.label) {
                    case 0:
                        user = basicAuth(req);
                        deferred = new deferred_1.Deferred();
                        if (!user) return [3 /*break*/, 2];
                        return [4 /*yield*/, this.authenticate(agent, user.name, user.pass)];
                    case 1:
                        _a.sent();
                        agent.logger.info('BasicAuthShield: %s => allow', req.url);
                        deferred.resolve({ key: user.name, data: { username: user.name } });
                        return [3 /*break*/, 3];
                    case 2:
                        agent.logger.info('BasicAuthShield: %s => unauthenticated', req.url);
                        this.sendChallenge(res);
                        _a.label = 3;
                    case 3: return [4 /*yield*/, deferred.promise];
                    case 4: return [2 /*return*/, _a.sent()];
                }
            });
        });
    };
    BasicAuthShield.prototype.sendChallenge = function (res) {
        http_utils_1.sendResponse(res, 401, null, {
            'WWW-Authenticate': 'Basic realm=Authorization Required'
        });
    };
    BasicAuthShield.prototype.authenticate = function (agent, username, password) {
        return __awaiter(this, void 0, void 0, function () {
            var err_1;
            return __generator(this, function (_a) {
                switch (_a.label) {
                    case 0:
                        _a.trys.push([0, 2, , 3]);
                        return [4 /*yield*/, agent.amClient.authenticate(username, password, this.options.realm, this.options.service, this.options.module, true)];
                    case 1:
                        _a.sent();
                        return [3 /*break*/, 3];
                    case 2:
                        err_1 = _a.sent();
                        throw new shield_evaluation_error_1.ShieldEvaluationError(err_1.statusCode || err_1.status || 500, err_1.name || err_1.message, err_1.stack + '\n' + JSON.stringify(err_1, null, 2));
                    case 3: return [2 /*return*/];
                }
            });
        });
    };
    return BasicAuthShield;
}());
exports.BasicAuthShield = BasicAuthShield;
//# sourceMappingURL=basic-auth-shield.js.map