frodovdr/node-red
1
0
Fork 0
mirror of https://github.com/node-red/node-red.git synced 2025-03-01 10:36:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add permissions and user menu

Browse Source
This commit is contained in:
Nick O'Leary
2014-12-10 14:16:07 +00:00
parent f5d7903ecb
commit a494954275
17 changed files with 458 additions and 211 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
red/api/auth/index.js
View File

@@ -18,23 +18,29 @@ var passport = require("passport");
var oauth2orize = require("oauth2orize");
var strategies = require("./strategies");
var tokens = require("./tokens");
var Tokens = require("./tokens");
var Users = require("./users");
var settings = require("../../settings");
passport.use(strategies.bearerStrategy.BearerStrategy);
passport.use(strategies.clientPasswordStrategy.ClientPasswordStrategy);
passport.use(strategies.anonymousStrategy);
var server = oauth2orize.createServer();
server.exchange(oauth2orize.exchange.password(strategies.passwordTokenExchange));
function init() {
Users.init();
}
function authenticate(req,res,next) {
if (settings.adminAuth) {
if (/^\/auth\/.*/.test(req.originalUrl)) {
next();
} else {
return passport.authenticate('bearer', { session: false })(req,res,next);
return passport.authenticate(['bearer','anon'], { session: false })(req,res,next);
}
} else {
next();
@@ -59,18 +65,18 @@ function login(req,res) {
"type":"credentials",
"prompts":[{id:"username",type:"text",label:"Username"},{id:"password",type:"password",label:"Password"}]
}
res.json(response);
}
function revoke(req,res) {
var token = req.body.token;
tokens.revoke(token).then(function() {
Tokens.revoke(token).then(function() {
res.send(200);
});
}
module.exports = {
init: init,
authenticate: authenticate,
ensureClientSecret: ensureClientSecret,
authenticateClient: authenticateClient,

50
red/api/auth/permissions.js Normal file
View File

@@ -0,0 +1,50 @@
/**
* Copyright 2014 IBM Corp.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
var util = require('util');
var readRE = /^(.*)\.read$/
var writeRE = /^(.*)\.write$/
function needsPermission(perm) {
return function(req,res,next) {
if (!req.user) {
return next();
}
if (hasPermission(req.user,perm)) {
return next();
}
return res.send(401);
}
}
function hasPermission(user,permission) {
if (!user.permissions) {
return false;
}
if (user.permissions == "*") {
return true;
}
if (user.permissions == "read") {
return readRE.test(permission);
}
}
module.exports = {
hasPermission: hasPermission,
needsPermission: needsPermission,
}

30
red/api/auth/strategies.js
View File

@@ -16,9 +16,10 @@
var BearerStrategy = require('passport-http-bearer').Strategy;
var ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy;
var passport = require("passport");
var crypto = require("crypto");
var util = require("util");
var Tokens = require("./tokens");
var Users = require("./users");
var Clients = require("./clients");
@@ -29,7 +30,7 @@ var bearerStrategy = function (accessToken, done) {
if (token) {
Users.get(token.user).then(function(user) {
if (user) {
done(null,{username:user.username},{scope:token.scope});
done(null,user,{scope:token.scope});
} else {
done(null,false);
}
@@ -53,19 +54,38 @@ var clientPasswordStrategy = function(clientId, clientSecret, done) {
clientPasswordStrategy.ClientPasswordStrategy = new ClientPasswordStrategy(clientPasswordStrategy);
var passwordTokenExchange = function(client, username, password, scope, done) {
Users.get(username,password).then(function(user) {
Users.authenticate(username,password).then(function(user) {
if (user) {
Tokens.create(username,client.id,scope).then(function(token) {
done(null,token);
});
} else {
done(new Error("Invalid"),false);
done(null,false);
}
});
}
function AnonymousStrategy() {
passport.Strategy.call(this);
this.name = 'anon';
}
util.inherits(AnonymousStrategy, passport.Strategy);
AnonymousStrategy.prototype.authenticate = function(req) {
var authorization = req.headers['authorization'];
var self = this;
Users.anonymous().then(function(anon) {
if (anon) {
self.success(anon);
} else {
self.fail(401);
}
});
}
module.exports = {
bearerStrategy: bearerStrategy,
clientPasswordStrategy: clientPasswordStrategy,
passwordTokenExchange: passwordTokenExchange
passwordTokenExchange: passwordTokenExchange,
anonymousStrategy: new AnonymousStrategy()
}

88
red/api/auth/users.js
View File

@@ -19,30 +19,79 @@ var crypto = require("crypto");
var util = require("util");
var settings = require("../../settings");
/*
adminAuth: {
type: "credentials",
users: [{
username: "nol",
password: "5f4dcc3b5aa765d61d8327deb882cf99" // password
}],
anonymous: {}
},
adminAuth: {
type: "credentials",
api: {
get: function(username) {}
authenticate: function(username,password) {}
anonymous: function() {}
}
*/
//{username:"nick",password:crypto.createHash('md5').update("foo",'utf8').digest('hex')}
var users = {};
var passwords = {};
var api = {};
var anonymousUser = null;
if (settings.adminAuth) {
if (settings.adminAuth.type == "credentials") {
if (settings.adminAuth.users) {
if (util.isArray(settings.adminAuth.users)) {
for (var i=0;i<settings.adminAuth.users.length;i++) {
var u = settings.adminAuth.users[i];
users[u.username] = {
"username":u.username
};
passwords[u.username] = u.password;
var api = {
get: function(username) {
return when.resolve(null);
},
authenticate: function(username,password) {
return when.resolve(null);
},
anonymous: function() {
return when.resolve(null);
}
}
function init() {
users = {};
passwords = {};
anonymousUser = null;
if (settings.adminAuth) {
if (settings.adminAuth.type == "credentials") {
if (settings.adminAuth.api) {
api.get = settings.adminAuth.api.get || api.get;
api.authenticate = settings.adminAuth.api.authenticate || api.authenticate;
api.anonymous = settings.adminAuth.api.anonymous || api.anonymous;
} else {
if (settings.adminAuth.users) {
var us = settings.adminAuth.users;
if (!util.isArray(us)) {
us = [us];
}
for (var i=0;i<us.length;i++) {
var u = us[i];
users[u.username] = {
"username":u.username,
"permissions":u.permissions
};
passwords[u.username] = u.password;
}
}
var api = {
if (settings.adminAuth.anonymous) {
anonymousUser = {
"anonymous": true,
"permissions":settings.adminAuth.anonymous.permissions
}
}
api = {
get: function(username) {
return when.resolve(users[username]);
},
authenticate: function(username,password) {
return api.get(username).then(function(user) {
if (user) {
if (user) {
var pass = crypto.createHash('md5').update(password,'utf8').digest('hex');
if (pass == passwords[username]) {
return when.resolve(user);
@@ -50,15 +99,20 @@ if (settings.adminAuth) {
}
return when.resolve(null);
});
},
anonymous: function() {
return when.resolve(anonymousUser);
}
}
} else {
api = settings.adminAuth.users;
}
}
}
}
module.exports = api;
module.exports = {
init: init,
get: function(username) { return api.get(username) },
authenticate: function(username,password) { return api.authenticate(username,password) },
anonymous: function() { return api.anonymous(); }
};

29
red/api/index.js
View File

@@ -16,6 +16,7 @@
var express = require("express");
var util = require('util');
var path = require('path');
var passport = require('passport');
var ui = require("./ui");
@@ -25,6 +26,7 @@ var library = require("./library");
var info = require("./info");
var auth = require("./auth");
var needsPermission = require("./auth/permissions").needsPermission;
var settings = require("../settings");
@@ -35,6 +37,7 @@ var errorHandler = function(err,req,res,next) {
function init(adminApp) {
auth.init();
// Editor
if (!settings.disableEditor) {
@@ -62,28 +65,28 @@ function init(adminApp) {
adminApp.post("/auth/revoke",auth.revoke);
// Flows
adminApp.get("/flows",flows.get);
adminApp.post("/flows",flows.post);
adminApp.get("/flows",needsPermission("flows.read"),flows.get);
adminApp.post("/flows",needsPermission("flows.write"),flows.post);
// Nodes
adminApp.get("/nodes",nodes.getAll);
adminApp.post("/nodes",nodes.post);
adminApp.get("/nodes",needsPermission("nodes.read"),nodes.getAll);
adminApp.post("/nodes",needsPermission("nodes.write"),nodes.post);
adminApp.get("/nodes/:mod",nodes.getModule);
adminApp.put("/nodes/:mod",nodes.putModule);
adminApp.delete("/nodes/:mod",nodes.delete);
adminApp.get("/nodes/:mod",needsPermission("nodes.read"),nodes.getModule);
adminApp.put("/nodes/:mod",needsPermission("nodes.write"),nodes.putModule);
adminApp.delete("/nodes/:mod",needsPermission("nodes.write"),nodes.delete);
adminApp.get("/nodes/:mod/:set",nodes.getSet);
adminApp.put("/nodes/:mod/:set",nodes.putSet);
adminApp.get("/nodes/:mod/:set",needsPermission("nodes.read"),nodes.getSet);
adminApp.put("/nodes/:mod/:set",needsPermission("nodes.write"),nodes.putSet);
// Library
library.init(adminApp);
adminApp.post(new RegExp("/library/flows\/(.*)"),library.post);
adminApp.get("/library/flows",library.getAll);
adminApp.get(new RegExp("/library/flows\/(.*)"),library.get);
adminApp.post(new RegExp("/library/flows\/(.*)"),needsPermission("library.write"),library.post);
adminApp.get("/library/flows",needsPermission("library.read"),library.getAll);
adminApp.get(new RegExp("/library/flows\/(.*)"),needsPermission("library.read"),library.get);
// Settings
adminApp.get("/settings",info.settings);
adminApp.get("/settings",needsPermission("settings.read"),info.settings);
// Error Handler
adminApp.use(errorHandler);

88
red/comms.js
View File

@@ -14,8 +14,6 @@
* limitations under the License.
**/
var tokens = require("./api/auth/tokens");
var ws = require("ws");
var log = require("./log");
@@ -37,24 +35,23 @@ function init(_server,_settings) {
settings = _settings;
}
function start() {
function start() {
var Tokens = require("./api/auth/tokens");
var Users = require("./api/auth/users");
var Permissions = require("./api/auth/permissions");
if (!settings.disableEditor) {
var webSocketKeepAliveTime = settings.webSocketKeepAliveTime || 15000;
var path = settings.httpAdminRoot || "/";
path = path + (path.slice(-1) == "/" ? "":"/") + "comms";
wsServer = new ws.Server({server:server,path:path});
wsServer.on('connection',function(ws) {
var pendingAuth = (settings.adminAuth != null);
if (!pendingAuth) {
activeConnections.push(ws);
} else {
pendingConnections.push(ws);
}
ws.on('close',function() {
Users.anonymous().then(function(anonymousUser) {
var webSocketKeepAliveTime = settings.webSocketKeepAliveTime || 15000;
var path = settings.httpAdminRoot || "/";
path = path + (path.slice(-1) == "/" ? "":"/") + "comms";
wsServer = new ws.Server({server:server,path:path});
wsServer.on('connection',function(ws) {
var pendingAuth = (settings.adminAuth != null);
if (!pendingAuth) {
removeActiveConnection(ws);
activeConnections.push(ws);
} else {
removePendingConnection(ws);
}
@@ -67,31 +64,64 @@ function start() {
log.warn("comms received malformed message : "+err.toString());
return;
}
if (!pendingAuth) {
if (msg.subscribe) {
handleRemoteSubscription(ws,msg.subscribe);
ws.on('close',function() {
removeActiveConnection(ws);
removePendingConnection(ws);
});
ws.on('message', function(data,flags) {
var msg = null;
try {
msg = JSON.parse(data);
} catch(err) {
util.log("[red:comms] received malformed message : "+err.toString());
return;
}
} else {
if (msg.auth) {
tokens.get(msg.auth).then(function(client) {
if (!client) {
if (!pendingAuth) {
if (msg.subscribe) {
handleRemoteSubscription(ws,msg.subscribe);
}
} else {
var completeConnection = function(user) {
if (!user || !Permissions.hasPermission(user,"status.read")) {
ws.close();
} else {
pendingAuth = false;
removePendingConnection(ws);
activeConnections.push(ws);
ws.send(JSON.stringify({auth:"ok"}));
}
});
} else {
ws.close();
}
if (msg.auth) {
Tokens.get(msg.auth).then(function(client) {
if (client) {
Users.get(client.user).then(completeConnection);
} else {
completeConnection(null);
}
});
} else {
completeConnection(anonymousUser);
}
}
}
});
ws.on('error', function(err) {
util.log("[red:comms] error : "+err.toString());
});
});
ws.on('error', function(err) {
log.warn("comms error : "+err.toString());
});
lastSentTime = Date.now();
heartbeatTimer = setInterval(function() {
var now = Date.now();
if (now-lastSentTime > webSocketKeepAliveTime) {
publish("hb",lastSentTime);
}
}, webSocketKeepAliveTime);
});
wsServer.on('error', function(err) {
log.warn("comms server error : "+err.toString());
});

4
red/red.js
View File

@@ -23,6 +23,7 @@ var util = require("./util");
var fs = require("fs");
var settings = require("./settings");
var credentials = require("./nodes/credentials");
var permissions = require("./api/auth/permissions");
var path = require('path');
@@ -50,6 +51,9 @@ var RED = {
comms: comms,
settings:settings,
util: util,
auth: {
needsPermission: permissions.needsPermission
},
version: function () {
var p = require(path.join(process.env.NODE_RED_HOME,"package.json"));
if (fs.existsSync(path.join(process.env.NODE_RED_HOME,".git"))) {

3
red/settings.js
View File

@@ -83,9 +83,6 @@ var persistentSettings = {
userSettings = null;
globalSettings = null;
storage = null;
}
}