openhim-core/lib/middleware/authorisation.js

The OpenHIM core application that provides logging and routing of http requests

"use strict";

Object.defineProperty(exports, "__esModule", {
  value: true
});
exports.authorise = authorise;
exports.koaMiddleware = koaMiddleware;

var _winston = _interopRequireDefault(require("winston"));

var _atnaAudit = _interopRequireDefault(require("atna-audit"));

var _os = _interopRequireDefault(require("os"));

var auditing = _interopRequireWildcard(require("../auditing"));

var _config = require("../config");

var _util = require("util");

function _getRequireWildcardCache() { if (typeof WeakMap !== "function") return null; var cache = new WeakMap(); _getRequireWildcardCache = function () { return cache; }; return cache; }

function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }

function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }

_config.config.authentication = _config.config.get('authentication');

const himSourceID = _config.config.get('auditing').auditEvents.auditSourceID;

function genAuthAudit(remoteAddress) {
  let audit = _atnaAudit.default.construct.nodeAuthentication(remoteAddress, himSourceID, _os.default.hostname(), _atnaAudit.default.constants.OUTCOME_MINOR_FAILURE);

  audit = _atnaAudit.default.construct.wrapInSyslog(audit);
  return audit;
}

function authoriseClient(channel, ctx) {
  if (ctx.authenticated != null && channel.allow != null) {
    if (ctx.authenticated.roles != null) {
      for (const role of Array.from(channel.allow)) {
        if (Array.from(ctx.authenticated.roles).includes(role)) {
          return true;
        }
      }
    }

    if (Array.from(channel.allow).includes(ctx.authenticated.clientID)) {
      return true;
    }
  }

  return false;
}

function authoriseIP(channel, ctx) {
  if ((channel.whitelist != null ? channel.whitelist.length : undefined) > 0) {
    return Array.from(channel.whitelist).includes(ctx.ip);
  } else {
    return true; // whitelist auth not required
  }
}

async function authorise(ctx, done) {
  const channel = ctx.matchingChannel;

  if (channel != null && authoriseIP(channel, ctx) && (channel.authType === 'public' || authoriseClient(channel, ctx))) {
    // authorisation succeeded
    ctx.authorisedChannel = channel;

    _winston.default.info(`The request, '${ctx.request.path}' is authorised to access ${ctx.authorisedChannel.name}`);
  } else {
    // authorisation failed
    ctx.response.status = 401;

    if (_config.config.authentication.enableBasicAuthentication) {
      ctx.set('WWW-Authenticate', 'Basic');
    }

    _winston.default.info(`The request, '${ctx.request.path}', is not authorised to access any channels.`);

    auditing.sendAuditEvent(genAuthAudit(ctx.ip), () => _winston.default.debug('Processed nodeAuthentication audit'));
  }

  return done();
}

async function koaMiddleware(ctx, next) {
  const _authorise = (0, _util.promisify)(authorise);

  await _authorise(ctx);

  if (ctx.authorisedChannel != null) {
    await next();
  }
} // export private functions for unit testing
// note: you cant spy on these method because of this :(


if (process.env.NODE_ENV === 'test') {
  exports.genAuthAudit = genAuthAudit;
}
//# sourceMappingURL=authorisation.js.map