Add oauth grant

red/api/auth/clients.js

@@ -0,0 +1,32 @@
+/**
+ * Copyright 2014 IBM Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+ 
+var when = require("when");
+
+var clients = [
+    {id:"node-red-admin",secret:"not_available"}
+];
+
+module.exports = {
+    get: function(id) {
+        for (var i=0;i<clients.length;i++) {
+            if (clients[i].id == id) {
+                return when.resolve(clients[i]);
+            }
+        }
+        return when.resolve(null);
+    }
+}

red/api/auth/index.js

@@ -0,0 +1,63 @@
+/**
+ * Copyright 2014 IBM Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+var passport = require("passport");
+var oauth2orize = require("oauth2orize");
+
+var strategies = require("./strategies");
+
+var settings = require("../../settings");
+
+passport.use(strategies.bearerStrategy.BearerStrategy);
+passport.use(strategies.clientPasswordStrategy.ClientPasswordStrategy);
+
+var server = oauth2orize.createServer();
+
+server.exchange(oauth2orize.exchange.password(strategies.passwordTokenExchange));
+
+function authenticate(req,res,next) {
+    if (settings.httpAdminAuth) {
+        if (/^\/auth\/.*/.test(req.originalUrl)) {
+            next();
+        } else {
+            return passport.authenticate('bearer', { session: false })(req,res,next);
+        }
+    } else {
+        next();
+    }
+}
+
+function ensureClientSecret(req,res,next) {
+    if (!req.body.client_secret) {
+        req.body.client_secret = 'not_available';
+    }
+    next();
+}
+function authenticateClient(req,res,next) {
+    return passport.authenticate(['oauth2-client-password'], {session: false})(req,res,next);
+}
+function getToken(req,res,next) {
+    return server.token()(req,res,next);
+}
+
+
+module.exports = {
+    authenticate: authenticate,
+    ensureClientSecret: ensureClientSecret,
+    authenticateClient: authenticateClient,
+    getToken: getToken,
+    errorHandler: server.errorHandler()
+}

red/api/auth/strategies.js

@@ -0,0 +1,71 @@
+/**
+ * Copyright 2014 IBM Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+var BearerStrategy = require('passport-http-bearer').Strategy;
+var ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy;
+
+var crypto = require("crypto");
+
+var tokens = require("./tokens");
+var users = require("./users");
+var clients = require("./clients");
+
+var bearerStrategy = function (accessToken, done) {
+    // is this a valid token?
+    tokens.get(accessToken).then(function(token) {
+        if (token) {
+            users.get(token.user).then(function(user) {
+                if (user) {
+                    done(null,user,{scope:token.scope});
+                } else {
+                    done(null,false);
+                }
+            });
+        } else {
+            done(null,false);
+        }
+    });
+}
+bearerStrategy.BearerStrategy = new BearerStrategy(bearerStrategy);
+
+var clientPasswordStrategy = function(clientId, clientSecret, done) {
+    clients.get(clientId).then(function(client) {
+        if (client && client.secret == clientSecret) {
+            done(null,client);
+        } else {
+            done(null,false);
+        }
+    });
+}
+clientPasswordStrategy.ClientPasswordStrategy = new ClientPasswordStrategy(clientPasswordStrategy);
+
+var passwordTokenExchange = function(client, username, password, scope, done) {
+  users.get(username).then(function(user) {
+      if (user && user.password == crypto.createHash('md5').update(password,'utf8').digest('hex')) {
+          tokens.create(username,client.id,scope).then(function(token) {
+              done(null,token);
+          });
+      } else {
+          done(new Error("Invalid"),false);
+      }
+  });
+}
+
+module.exports = {
+    bearerStrategy: bearerStrategy,
+    clientPasswordStrategy: clientPasswordStrategy,
+    passwordTokenExchange: passwordTokenExchange
+}

red/api/auth/tokens.js

@@ -0,0 +1,40 @@
+/**
+ * Copyright 2014 IBM Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+var when = require("when");
+
+function generateToken(length) {
+    var c = "ABCDEFGHIJKLMNOPQRSTUZWXYZabcdefghijklmnopqrstuvwxyz1234567890";
+    var token = [];
+    for (var i=0;i<length;i++) {
+        token.push(c[Math.floor(Math.random()*c.length)]);
+    }
+    return token.join("");
+}
+
+var tokens = {}
+
+module.exports = {
+    get: function(token) {
+        return when.resolve(tokens[token]);
+    },
+    create: function(user,client,scope) {
+        var token = generateToken(256);
+        tokens[token] = {user:user,client:client,scope:scope};
+        return when.resolve(token);
+    }
+    
+};

red/api/auth/users.js

@@ -0,0 +1,40 @@
+/**
+ * Copyright 2014 IBM Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+ 
+var when = require("when");
+var crypto = require("crypto");
+
+var settings = require("../../settings");
+
+//{username:"nick",password:crypto.createHash('md5').update("foo",'utf8').digest('hex')}
+var users = [];
+
+if (settings.httpAdminAuth) {
+    if (settings.httpAdminAuth.user && settings.httpAdminAuth.pass) {
+        users.push({username:settings.httpAdminAuth.user, password:settings.httpAdminAuth.pass});
+    }
+}
+
+module.exports = {
+    get: function(username) {
+        for (var i=0;i<users.length;i++) {
+            if (users[i].username == username) {
+                return when.resolve(users[i]);
+            }
+        }
+        return when.resolve(null);
+    }
+}

red/api/index.js

@@ -16,11 +16,15 @@
 
 var express = require("express");
 var util = require('util');
+var passport = require('passport');
 
 var ui = require("./ui");
 var nodes = require("./nodes");
 var flows = require("./flows");
 var library = require("./library");
+var info = require("./info");
+
+var auth = require("./auth");
 
 var settings = require("../settings");
 
@@ -30,39 +34,56 @@ var errorHandler = function(err,req,res,next) {
 };
 
 function init(adminApp) {
-
+    
+    var apiApp = express();
+    
     adminApp.use(express.json());
+    adminApp.use(express.urlencoded());
+    
+    //TODO: all passport references ought to be in ./auth
+    apiApp.use(passport.initialize());
+    
+    apiApp.use(auth.authenticate);
+    apiApp.post("/auth/token",
+        auth.ensureClientSecret,
+        auth.authenticateClient,
+        auth.getToken,
+        auth.errorHandler
+    );
 
-    library.init(adminApp);
+    // Flows
+    apiApp.get("/flows",flows.get);
+    apiApp.post("/flows",flows.post);
+    
+    // Nodes
+    apiApp.get("/nodes",nodes.getAll);
+    apiApp.post("/nodes",nodes.post);
 
+    apiApp.get("/nodes/:mod",nodes.getModule);
+    apiApp.put("/nodes/:mod",nodes.putModule);
+    apiApp.delete("/nodes/:mod",nodes.delete);
+    
+    apiApp.get("/nodes/:mod/:set",nodes.getSet);
+    apiApp.put("/nodes/:mod/:set",nodes.putSet);
+
+    // Library
+    library.init(apiApp);
+    apiApp.post(new RegExp("/library/flows\/(.*)"),library.post);
+    apiApp.get("/library/flows",library.getAll);
+    apiApp.get(new RegExp("/library/flows\/(.*)"),library.get);
+    
+    // Settings
+    apiApp.get("/settings",info.settings);
+    
     // Editor
     if (!settings.disableEditor) {
         adminApp.get("/",ui.ensureSlash);
         adminApp.get("/icons/:icon",ui.icon);
-        adminApp.get("/settings",ui.settings);
         adminApp.use("/",ui.editor);
     }
-
-    // Flows
-    adminApp.get("/flows",flows.get);
-    adminApp.post("/flows",flows.post);
-
-    // Nodes
-    adminApp.get("/nodes",nodes.getAll);
-    adminApp.post("/nodes",nodes.post);
-
-    adminApp.get("/nodes/:mod",nodes.getModule);
-    adminApp.put("/nodes/:mod",nodes.putModule);
-    adminApp.delete("/nodes/:mod",nodes.delete);
-
-    adminApp.get("/nodes/:mod/:set",nodes.getSet);
-    adminApp.put("/nodes/:mod/:set",nodes.putSet);
-
-    // Library
-    adminApp.post(new RegExp("/library/flows\/(.*)"),library.post);
-    adminApp.get("/library/flows",library.getAll);
-    adminApp.get(new RegExp("/library/flows\/(.*)"),library.get);
-
+    
+    adminApp.use(apiApp);
+    
     // Error Handler
     adminApp.use(errorHandler);
 }

red/api/info.js

@@ -0,0 +1,26 @@
+/**
+ * Copyright 2014 IBM Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+var settings = require('../settings');
+
+module.exports = {
+    settings: function(req,res) {
+        var safeSettings = {
+            httpNodeRoot: settings.httpNodeRoot,
+            version: settings.version
+        };
+        res.json(safeSettings);
+    }
+}