openhim-core/lib/middleware/authorisation.js

The OpenHIM core application that provides logging and routing of http requests

'use strict';

Object.defineProperty(exports, "__esModule", {
  value: true
});
exports.authorise = authorise;
exports.koaMiddleware = koaMiddleware;

var _winston = require('winston');

var _winston2 = _interopRequireDefault(_winston);

var _atnaAudit = require('atna-audit');

var _atnaAudit2 = _interopRequireDefault(_atnaAudit);

var _statsdClient = require('statsd-client');

var _statsdClient2 = _interopRequireDefault(_statsdClient);

var _os = require('os');

var _os2 = _interopRequireDefault(_os);

var _auditing = require('../auditing');

var auditing = _interopRequireWildcard(_auditing);

var _config = require('../config');

var _util = require('util');

function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } else { var newObj = {}; if (obj != null) { for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) newObj[key] = obj[key]; } } newObj.default = obj; return newObj; } }

function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }

_config.config.authentication = _config.config.get('authentication');
const statsdServer = _config.config.get('statsd');
const application = _config.config.get('application');
const himSourceID = _config.config.get('auditing').auditEvents.auditSourceID;

const domain = `${_os2.default.hostname()}.${application.name}.appMetrics`;
const sdc = new _statsdClient2.default(statsdServer);

function genAuthAudit(remoteAddress) {
  let audit = _atnaAudit2.default.construct.nodeAuthentication(remoteAddress, himSourceID, _os2.default.hostname(), _atnaAudit2.default.constants.OUTCOME_MINOR_FAILURE);
  audit = _atnaAudit2.default.construct.wrapInSyslog(audit);
  return audit;
}

function authoriseClient(channel, ctx) {
  if (ctx.authenticated != null && channel.allow != null) {
    if (ctx.authenticated.roles != null) {
      for (const role of Array.from(channel.allow)) {
        if (Array.from(ctx.authenticated.roles).includes(role)) {
          return true;
        }
      }
    }
    if (Array.from(channel.allow).includes(ctx.authenticated.clientID)) {
      return true;
    }
  }

  return false;
}

function authoriseIP(channel, ctx) {
  if ((channel.whitelist != null ? channel.whitelist.length : undefined) > 0) {
    return Array.from(channel.whitelist).includes(ctx.ip);
  } else {
    return true; // whitelist auth not required
  }
}

async function authorise(ctx, done) {
  const channel = ctx.matchingChannel;

  if (channel != null && authoriseIP(channel, ctx) && (channel.authType === 'public' || authoriseClient(channel, ctx))) {
    // authorisation succeeded
    ctx.authorisedChannel = channel;
    _winston2.default.info(`The request, '${ctx.request.path}' is authorised to access ${ctx.authorisedChannel.name}`);
  } else {
    // authorisation failed
    ctx.response.status = 401;
    if (_config.config.authentication.enableBasicAuthentication) {
      ctx.set('WWW-Authenticate', 'Basic');
    }
    _winston2.default.info(`The request, '${ctx.request.path}', is not authorised to access any channels.`);
    auditing.sendAuditEvent(genAuthAudit(ctx.ip), () => _winston2.default.debug('Processed nodeAuthentication audit'));
  }

  return done();
}

async function koaMiddleware(ctx, next) {
  let startTime;
  if (statsdServer.enabled) {
    startTime = new Date();
  }
  const _authorise = (0, _util.promisify)(authorise);
  await _authorise(ctx);
  if (ctx.authorisedChannel != null) {
    if (statsdServer.enabled) {
      sdc.timing(`${domain}.authorisationMiddleware`, startTime);
    }
    await next();
  }
}

// export private functions for unit testing
// note: you cant spy on these method because of this :(
if (process.env.NODE_ENV === 'test') {
  exports.genAuthAudit = genAuthAudit;
}
//# sourceMappingURL=authorisation.js.map