frodovdr
/
node-red
mirror of https://github.com/node-red/node-red.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Enable finer grained permissions in adminAuth

This commit is contained in:
Nick O'Leary 2016-04-10 15:23:03 +01:00
parent 75a7be41eb
commit 44693dd23a
3 changed files with 36 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
red/api/auth/index.js
View File

@ -56,7 +56,7 @@ function needsPermission(permission) {
if (permissions.hasPermission(req.authInfo.scope,permission)) {
return next();
}
log.audit({event: "permission.fail"},req);
log.audit({event: "permission.fail", permissions: permission},req);
return res.status(401).end();
});
} else {

47
red/api/auth/permissions.js
View File

@ -1,5 +1,5 @@
/**
* Copyright 2015 IBM Corp.
* Copyright 2015, 2016 IBM Corp.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -20,41 +20,44 @@ var readRE = /^((.+)\.)?read$/
var writeRE = /^((.+)\.)?write$/
function hasPermission(userScope,permission) {
var i;
if (util.isArray(userScope)) {
if (userScope.length === 0) {
return false;
}
for (i=0;i<userScope.length;i++) {
if (!hasPermission(userScope[i],permission)) {
return false;
}
}
return true;
}
if (permission === "") {
return true;
}
if (userScope === "*") {
return true;
}
var i;
if (util.isArray(permission)) {
// Multiple permissions requested - check each one
for (i=0;i<permission.length;i++) {
if (!hasPermission(userScope,permission[i])) {
return false;
}
}
// All permissions check out
return true;
}
if (userScope === "read") {
return readRE.test(permission);
} else {
return false; // anything not allowed is disallowed
if (util.isArray(userScope)) {
if (userScope.length === 0) {
return false;
}
for (i=0;i<userScope.length;i++) {
if (hasPermission(userScope[i],permission)) {
return true;
}
}
return false;
}
if (userScope === "*" || userScope === permission) {
return true;
}
if (userScope === "read" || userScope === "*.read") {
return readRE.test(permission);
} else if (userScope === "write" || userScope === "*.write") {
return writeRE.test(permission);
}
return false;
}
module.exports = {

12
test/red/api/auth/permissions_spec.js
View File

@ -1,5 +1,5 @@
/**
* Copyright 2015 IBM Corp.
* Copyright 2015, 2016 IBM Corp.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -31,14 +31,22 @@ describe("Auth permissions", function() {
permissions.hasPermission(["read"],"node.read").should.be.true;
permissions.hasPermission(["read"],"write").should.be.false;
permissions.hasPermission(["read"],"node.write").should.be.false;
permissions.hasPermission(["*.read"],"read").should.be.true;
permissions.hasPermission(["*.read"],"node.read").should.be.true;
permissions.hasPermission(["*.read"],"write").should.be.false;
permissions.hasPermission(["*.read"],"node.write").should.be.false;
});
it('a user with foo permissions',function() {
permissions.hasPermission("foo","foo").should.be.false;
permissions.hasPermission("foo","foo").should.be.true;
});
it('an array of permissions', function() {
permissions.hasPermission(["*"],["foo.read","foo.write"]).should.be.true;
permissions.hasPermission("read",["foo.read","foo.write"]).should.be.false;
permissions.hasPermission("read",["foo.read","bar.read"]).should.be.true;
permissions.hasPermission(["flows.read"],["flows.read"]).should.be.true;
permissions.hasPermission(["flows.read"],["flows.write"]).should.be.false;
permissions.hasPermission(["flows.read","nodes.write"],["flows.write"]).should.be.false;
permissions.hasPermission(["flows.read","nodes.write"],["nodes.write"]).should.be.true;
});
it('permits an empty permission', function() {
permissions.hasPermission("*","").should.be.true;