1
0
mirror of https://github.com/node-red/node-red.git synced 2023-10-10 13:36:53 +02:00

Enable finer grained permissions in adminAuth

This commit is contained in:
Nick O'Leary 2016-04-10 15:23:03 +01:00
parent 75a7be41eb
commit 44693dd23a
3 changed files with 36 additions and 25 deletions

View File

@ -56,7 +56,7 @@ function needsPermission(permission) {
if (permissions.hasPermission(req.authInfo.scope,permission)) { if (permissions.hasPermission(req.authInfo.scope,permission)) {
return next(); return next();
} }
log.audit({event: "permission.fail"},req); log.audit({event: "permission.fail", permissions: permission},req);
return res.status(401).end(); return res.status(401).end();
}); });
} else { } else {

View File

@ -1,5 +1,5 @@
/** /**
* Copyright 2015 IBM Corp. * Copyright 2015, 2016 IBM Corp.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -20,41 +20,44 @@ var readRE = /^((.+)\.)?read$/
var writeRE = /^((.+)\.)?write$/ var writeRE = /^((.+)\.)?write$/
function hasPermission(userScope,permission) { function hasPermission(userScope,permission) {
var i;
if (util.isArray(userScope)) {
if (userScope.length === 0) {
return false;
}
for (i=0;i<userScope.length;i++) {
if (!hasPermission(userScope[i],permission)) {
return false;
}
}
return true;
}
if (permission === "") { if (permission === "") {
return true; return true;
} }
var i;
if (userScope === "*") {
return true;
}
if (util.isArray(permission)) { if (util.isArray(permission)) {
// Multiple permissions requested - check each one
for (i=0;i<permission.length;i++) { for (i=0;i<permission.length;i++) {
if (!hasPermission(userScope,permission[i])) { if (!hasPermission(userScope,permission[i])) {
return false; return false;
} }
} }
// All permissions check out
return true; return true;
} }
if (userScope === "read") { if (util.isArray(userScope)) {
return readRE.test(permission); if (userScope.length === 0) {
} else { return false;
return false; // anything not allowed is disallowed }
for (i=0;i<userScope.length;i++) {
if (hasPermission(userScope[i],permission)) {
return true;
}
}
return false;
} }
if (userScope === "*" || userScope === permission) {
return true;
}
if (userScope === "read" || userScope === "*.read") {
return readRE.test(permission);
} else if (userScope === "write" || userScope === "*.write") {
return writeRE.test(permission);
}
return false;
} }
module.exports = { module.exports = {

View File

@ -1,5 +1,5 @@
/** /**
* Copyright 2015 IBM Corp. * Copyright 2015, 2016 IBM Corp.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -31,14 +31,22 @@ describe("Auth permissions", function() {
permissions.hasPermission(["read"],"node.read").should.be.true; permissions.hasPermission(["read"],"node.read").should.be.true;
permissions.hasPermission(["read"],"write").should.be.false; permissions.hasPermission(["read"],"write").should.be.false;
permissions.hasPermission(["read"],"node.write").should.be.false; permissions.hasPermission(["read"],"node.write").should.be.false;
permissions.hasPermission(["*.read"],"read").should.be.true;
permissions.hasPermission(["*.read"],"node.read").should.be.true;
permissions.hasPermission(["*.read"],"write").should.be.false;
permissions.hasPermission(["*.read"],"node.write").should.be.false;
}); });
it('a user with foo permissions',function() { it('a user with foo permissions',function() {
permissions.hasPermission("foo","foo").should.be.false; permissions.hasPermission("foo","foo").should.be.true;
}); });
it('an array of permissions', function() { it('an array of permissions', function() {
permissions.hasPermission(["*"],["foo.read","foo.write"]).should.be.true; permissions.hasPermission(["*"],["foo.read","foo.write"]).should.be.true;
permissions.hasPermission("read",["foo.read","foo.write"]).should.be.false; permissions.hasPermission("read",["foo.read","foo.write"]).should.be.false;
permissions.hasPermission("read",["foo.read","bar.read"]).should.be.true; permissions.hasPermission("read",["foo.read","bar.read"]).should.be.true;
permissions.hasPermission(["flows.read"],["flows.read"]).should.be.true;
permissions.hasPermission(["flows.read"],["flows.write"]).should.be.false;
permissions.hasPermission(["flows.read","nodes.write"],["flows.write"]).should.be.false;
permissions.hasPermission(["flows.read","nodes.write"],["nodes.write"]).should.be.true;
}); });
it('permits an empty permission', function() { it('permits an empty permission', function() {
permissions.hasPermission("*","").should.be.true; permissions.hasPermission("*","").should.be.true;