1
0
mirror of https://github.com/node-red/node-red.git synced 2023-10-10 13:36:53 +02:00

Add oauth grant

This commit is contained in:
Nick O'Leary 2014-11-06 22:59:48 +00:00
parent c8ccacb035
commit 2128b57ab2
18 changed files with 509 additions and 64 deletions

View File

@ -49,7 +49,11 @@
"is-utf8":"0.2.0", "is-utf8":"0.2.0",
"serialport":"1.4.10", "serialport":"1.4.10",
"feedparser":"0.19.2", "feedparser":"0.19.2",
"fs.notify":"0.0.4" "fs.notify":"0.0.4",
"passport":"0.2.1",
"passport-http-bearer":"1.0.1",
"passport-oauth2-client-password":"0.1.2",
"oauth2orize":"1.0.1"
}, },
"devDependencies": { "devDependencies": {
"grunt": "0.4.5", "grunt": "0.4.5",

32
red/api/auth/clients.js Normal file
View File

@ -0,0 +1,32 @@
/**
* Copyright 2014 IBM Corp.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
var when = require("when");
var clients = [
{id:"node-red-admin",secret:"not_available"}
];
module.exports = {
get: function(id) {
for (var i=0;i<clients.length;i++) {
if (clients[i].id == id) {
return when.resolve(clients[i]);
}
}
return when.resolve(null);
}
}

63
red/api/auth/index.js Normal file
View File

@ -0,0 +1,63 @@
/**
* Copyright 2014 IBM Corp.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
var passport = require("passport");
var oauth2orize = require("oauth2orize");
var strategies = require("./strategies");
var settings = require("../../settings");
passport.use(strategies.bearerStrategy.BearerStrategy);
passport.use(strategies.clientPasswordStrategy.ClientPasswordStrategy);
var server = oauth2orize.createServer();
server.exchange(oauth2orize.exchange.password(strategies.passwordTokenExchange));
function authenticate(req,res,next) {
if (settings.httpAdminAuth) {
if (/^\/auth\/.*/.test(req.originalUrl)) {
next();
} else {
return passport.authenticate('bearer', { session: false })(req,res,next);
}
} else {
next();
}
}
function ensureClientSecret(req,res,next) {
if (!req.body.client_secret) {
req.body.client_secret = 'not_available';
}
next();
}
function authenticateClient(req,res,next) {
return passport.authenticate(['oauth2-client-password'], {session: false})(req,res,next);
}
function getToken(req,res,next) {
return server.token()(req,res,next);
}
module.exports = {
authenticate: authenticate,
ensureClientSecret: ensureClientSecret,
authenticateClient: authenticateClient,
getToken: getToken,
errorHandler: server.errorHandler()
}

View File

@ -0,0 +1,71 @@
/**
* Copyright 2014 IBM Corp.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
var BearerStrategy = require('passport-http-bearer').Strategy;
var ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy;
var crypto = require("crypto");
var tokens = require("./tokens");
var users = require("./users");
var clients = require("./clients");
var bearerStrategy = function (accessToken, done) {
// is this a valid token?
tokens.get(accessToken).then(function(token) {
if (token) {
users.get(token.user).then(function(user) {
if (user) {
done(null,user,{scope:token.scope});
} else {
done(null,false);
}
});
} else {
done(null,false);
}
});
}
bearerStrategy.BearerStrategy = new BearerStrategy(bearerStrategy);
var clientPasswordStrategy = function(clientId, clientSecret, done) {
clients.get(clientId).then(function(client) {
if (client && client.secret == clientSecret) {
done(null,client);
} else {
done(null,false);
}
});
}
clientPasswordStrategy.ClientPasswordStrategy = new ClientPasswordStrategy(clientPasswordStrategy);
var passwordTokenExchange = function(client, username, password, scope, done) {
users.get(username).then(function(user) {
if (user && user.password == crypto.createHash('md5').update(password,'utf8').digest('hex')) {
tokens.create(username,client.id,scope).then(function(token) {
done(null,token);
});
} else {
done(new Error("Invalid"),false);
}
});
}
module.exports = {
bearerStrategy: bearerStrategy,
clientPasswordStrategy: clientPasswordStrategy,
passwordTokenExchange: passwordTokenExchange
}

40
red/api/auth/tokens.js Normal file
View File

@ -0,0 +1,40 @@
/**
* Copyright 2014 IBM Corp.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
var when = require("when");
function generateToken(length) {
var c = "ABCDEFGHIJKLMNOPQRSTUZWXYZabcdefghijklmnopqrstuvwxyz1234567890";
var token = [];
for (var i=0;i<length;i++) {
token.push(c[Math.floor(Math.random()*c.length)]);
}
return token.join("");
}
var tokens = {}
module.exports = {
get: function(token) {
return when.resolve(tokens[token]);
},
create: function(user,client,scope) {
var token = generateToken(256);
tokens[token] = {user:user,client:client,scope:scope};
return when.resolve(token);
}
};

40
red/api/auth/users.js Normal file
View File

@ -0,0 +1,40 @@
/**
* Copyright 2014 IBM Corp.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
var when = require("when");
var crypto = require("crypto");
var settings = require("../../settings");
//{username:"nick",password:crypto.createHash('md5').update("foo",'utf8').digest('hex')}
var users = [];
if (settings.httpAdminAuth) {
if (settings.httpAdminAuth.user && settings.httpAdminAuth.pass) {
users.push({username:settings.httpAdminAuth.user, password:settings.httpAdminAuth.pass});
}
}
module.exports = {
get: function(username) {
for (var i=0;i<users.length;i++) {
if (users[i].username == username) {
return when.resolve(users[i]);
}
}
return when.resolve(null);
}
}

View File

@ -16,11 +16,15 @@
var express = require("express"); var express = require("express");
var util = require('util'); var util = require('util');
var passport = require('passport');
var ui = require("./ui"); var ui = require("./ui");
var nodes = require("./nodes"); var nodes = require("./nodes");
var flows = require("./flows"); var flows = require("./flows");
var library = require("./library"); var library = require("./library");
var info = require("./info");
var auth = require("./auth");
var settings = require("../settings"); var settings = require("../settings");
@ -30,39 +34,56 @@ var errorHandler = function(err,req,res,next) {
}; };
function init(adminApp) { function init(adminApp) {
var apiApp = express();
adminApp.use(express.json()); adminApp.use(express.json());
adminApp.use(express.urlencoded());
//TODO: all passport references ought to be in ./auth
apiApp.use(passport.initialize());
apiApp.use(auth.authenticate);
apiApp.post("/auth/token",
auth.ensureClientSecret,
auth.authenticateClient,
auth.getToken,
auth.errorHandler
);
library.init(adminApp); // Flows
apiApp.get("/flows",flows.get);
apiApp.post("/flows",flows.post);
// Nodes
apiApp.get("/nodes",nodes.getAll);
apiApp.post("/nodes",nodes.post);
apiApp.get("/nodes/:mod",nodes.getModule);
apiApp.put("/nodes/:mod",nodes.putModule);
apiApp.delete("/nodes/:mod",nodes.delete);
apiApp.get("/nodes/:mod/:set",nodes.getSet);
apiApp.put("/nodes/:mod/:set",nodes.putSet);
// Library
library.init(apiApp);
apiApp.post(new RegExp("/library/flows\/(.*)"),library.post);
apiApp.get("/library/flows",library.getAll);
apiApp.get(new RegExp("/library/flows\/(.*)"),library.get);
// Settings
apiApp.get("/settings",info.settings);
// Editor // Editor
if (!settings.disableEditor) { if (!settings.disableEditor) {
adminApp.get("/",ui.ensureSlash); adminApp.get("/",ui.ensureSlash);
adminApp.get("/icons/:icon",ui.icon); adminApp.get("/icons/:icon",ui.icon);
adminApp.get("/settings",ui.settings);
adminApp.use("/",ui.editor); adminApp.use("/",ui.editor);
} }
// Flows adminApp.use(apiApp);
adminApp.get("/flows",flows.get);
adminApp.post("/flows",flows.post);
// Nodes
adminApp.get("/nodes",nodes.getAll);
adminApp.post("/nodes",nodes.post);
adminApp.get("/nodes/:mod",nodes.getModule);
adminApp.put("/nodes/:mod",nodes.putModule);
adminApp.delete("/nodes/:mod",nodes.delete);
adminApp.get("/nodes/:mod/:set",nodes.getSet);
adminApp.put("/nodes/:mod/:set",nodes.putSet);
// Library
adminApp.post(new RegExp("/library/flows\/(.*)"),library.post);
adminApp.get("/library/flows",library.getAll);
adminApp.get(new RegExp("/library/flows\/(.*)"),library.get);
// Error Handler // Error Handler
adminApp.use(errorHandler); adminApp.use(errorHandler);
} }

26
red/api/info.js Normal file
View File

@ -0,0 +1,26 @@
/**
* Copyright 2014 IBM Corp.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
var settings = require('../settings');
module.exports = {
settings: function(req,res) {
var safeSettings = {
httpNodeRoot: settings.httpNodeRoot,
version: settings.version
};
res.json(safeSettings);
}
}

View File

View File

@ -0,0 +1,106 @@
/**
* Copyright 2014 IBM Corp.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
var should = require("should");
var sinon = require("sinon");
var request = require('supertest');
var express = require('express');
var passport = require("passport");
var auth = require("../../../../red/api/auth");
var settings = require("../../../../red/settings");
describe("api auth middleware",function() {
describe("authenticate",function() {
it("does not trigger on auth paths", sinon.test(function(done) {
this.stub(passport,"authenticate",function() {
return function() {
settings.reset();
done(new Error("authentication not applied to auth path"));
}
});
settings.init({httpAdminAuth:{}});
var req = {
originalUrl: "/auth/token"
};
auth.authenticate(req,null,function() {
settings.reset();
done();
});
}));
it("does trigger on non-auth paths", sinon.test(function(done) {
this.stub(passport,"authenticate",function() {
return function() {
settings.reset();
done();
}
});
settings.init({httpAdminAuth:{}});
var req = {
originalUrl: "/"
};
auth.authenticate(req,null,function() {
settings.reset();
done(new Error("authentication applied to non-auth path"));
});
}));
it("does not trigger on non-auth paths with auth disabled", sinon.test(function(done) {
this.stub(passport,"authenticate",function() {
return function() {
settings.reset();
done(new Error("authentication applied when disabled"));
}
});
settings.init({});
var req = {
originalUrl: "/"
};
auth.authenticate(req,null,function() {
settings.reset();
done();
});
}));
});
describe("ensureClientSecret", function() {
it("leaves client_secret alone if not present",function(done) {
var req = {
body: {
client_secret: "test_value"
}
};
auth.ensureClientSecret(req,null,function() {
req.body.should.have.a.property("client_secret","test_value");
done();
})
});
it("applies a default client_secret if not present",function(done) {
var req = {
body: { }
};
auth.ensureClientSecret(req,null,function() {
req.body.should.have.a.property("client_secret","not_available");
done();
})
});
});
});

View File

@ -0,0 +1,19 @@
/**
* Copyright 2014 IBM Corp.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
var strategies = require("../../../../red/api/auth/strategies");

View File

View File

View File

@ -20,7 +20,6 @@ var express = require('express');
var sinon = require('sinon'); var sinon = require('sinon');
var when = require('when'); var when = require('when');
var app = express();
var redNodes = require("../../../red/nodes"); var redNodes = require("../../../red/nodes");
var flows = require("../../../red/api/flows"); var flows = require("../../../red/api/flows");

View File

@ -47,12 +47,11 @@ describe("api index", function() {
.get("/icons/default.png") .get("/icons/default.png")
.expect(404,done) .expect(404,done)
}); });
it('does not serve settings', function(done) { it('serves settings', function(done) {
request(app) request(app)
.get("/settings") .get("/settings")
.expect(404,done) .expect(200,done)
}); });
}); });
describe("enables editor", function() { describe("enables editor", function() {

60
test/red/api/info_spec.js Normal file
View File

@ -0,0 +1,60 @@
/**
* Copyright 2014 IBM Corp.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
var should = require("should");
var request = require('supertest');
var express = require('express');
var sinon = require('sinon');
var when = require('when');
var app = express();
var settings = require("../../../red/settings");
var info = require("../../../red/api/info");
describe("info api", function() {
describe("settings handler", function() {
before(function() {
var userSettings = {
foo: 123,
httpNodeRoot: "testHttpNodeRoot",
version: "testVersion"
}
settings.init(userSettings);
app = express();
app.get("/settings",info.settings);
});
after(function() {
settings.reset();
});
it('returns the filtered settings', function(done) {
request(app)
.get("/settings")
.expect(200)
.end(function(err,res) {
if (err) {
return done(err);
}
res.body.should.have.property("httpNodeRoot","testHttpNodeRoot");
res.body.should.have.property("version","testVersion");
res.body.should.not.have.property("foo",123);
done();
});
});
});
});

View File

@ -20,7 +20,6 @@ var express = require('express');
var sinon = require('sinon'); var sinon = require('sinon');
var when = require('when'); var when = require('when');
var app = express();
var redNodes = require("../../../red/nodes"); var redNodes = require("../../../red/nodes");
var server = require("../../../red/server"); var server = require("../../../red/server");
var settings = require("../../../red/settings"); var settings = require("../../../red/settings");

View File

@ -20,7 +20,6 @@ var express = require("express");
var fs = require("fs"); var fs = require("fs");
var path = require("path"); var path = require("path");
var settings = require("../../../red/settings");
var events = require("../../../red/events"); var events = require("../../../red/events");
var ui = require("../../../red/api/ui"); var ui = require("../../../red/api/ui");
@ -135,39 +134,6 @@ describe("ui api", function() {
}); });
}); });
describe("settings handler", function() {
before(function() {
var userSettings = {
foo: 123,
httpNodeRoot: "testHttpNodeRoot",
version: "testVersion"
}
settings.init(userSettings);
app = express();
app.get("/settings",ui.settings);
//app.use("/",ui.editor);
});
after(function() {
settings.reset();
});
it('returns the filtered settings', function(done) {
request(app)
.get("/settings")
.expect(200)
.end(function(err,res) {
if (err) {
return done(err);
}
res.body.should.have.property("httpNodeRoot","testHttpNodeRoot");
res.body.should.have.property("version","testVersion");
res.body.should.not.have.property("foo",123);
done();
});
});
});
describe("editor ui handler", function() { describe("editor ui handler", function() {
before(function() { before(function() {
app = express(); app = express();