From c8d6dc2531ca50ea44f845c7ddf4b6c67d42052a Mon Sep 17 00:00:00 2001
From: Nick O'Leary <nick.oleary@gmail.com>
Date: Sun, 29 Mar 2015 21:59:48 +0100
Subject: [PATCH] Auth permission should honour the token scope

---
 red/api/auth/index.js                 |  4 +--
 red/api/auth/permissions.js           | 35 +++++++++++++++++++++------
 red/api/auth/strategies.js            | 19 +++++++++------
 red/comms.js                          |  6 ++---
 test/red/api/auth/permissions_spec.js | 20 +++++++++------
 5 files changed, 56 insertions(+), 28 deletions(-)

diff --git a/red/api/auth/index.js b/red/api/auth/index.js
index 344f80bd9..137ac6d49 100644
--- a/red/api/auth/index.js
+++ b/red/api/auth/index.js
@@ -49,7 +49,7 @@ function needsPermission(permission) {
                 if (!req.user) {
                     return next();
                 }
-                if (permissions.hasPermission(req.user,permission)) {
+                if (permissions.hasPermission(req.authInfo.scope,permission)) {
                     return next();
                 }
                 return res.send(401);
@@ -101,7 +101,7 @@ module.exports = {
     errorHandler: function(err,req,res,next) {
         //TODO: standardize json response
         //TODO: audit log statment
-        //console.log(err.stack);
+        console.log(err.stack);
         //log.log({level:"audit",type:"auth",msg:err.toString()});
         return server.errorHandler()(err,req,res,next);
     },
diff --git a/red/api/auth/permissions.js b/red/api/auth/permissions.js
index 680797aa4..e0398c7ba 100644
--- a/red/api/auth/permissions.js
+++ b/red/api/auth/permissions.js
@@ -19,17 +19,36 @@ var util = require('util');
 var readRE = /^((.+)\.)?read$/
 var writeRE = /^((.+)\.)?write$/
 
-function hasPermission(user,permission) {
-    if (!user.permissions) {
-        return false;
-    }
-    if (user.permissions == "*") {
+function hasPermission(userScope,permission) {
+    var i;
+    if (util.isArray(userScope)) {
+        if (userScope.length === 0) {
+            return false;
+        }
+        for (i=0;i<userScope.length;i++) {
+            if (!hasPermission(userScope[i],permission)) {
+                return false;
+            }
+        }
         return true;
     }
-    if (user.permissions == "read") {
-        return readRE.test(permission);
+    
+    if (userScope == "*") {
+        return true;
     }
-    else {
+    
+    if (util.isArray(permission)) {
+        for (var i=0;i<permission.length;i++) {
+            if (!hasPermission(userScope,permission[i])) {
+                return false;
+            }
+        }
+        return true;
+    }
+    
+    if (userScope == "read") {
+        return readRE.test(permission);
+    } else {
         return false; // anything not allowed is disallowed
     }
 }
diff --git a/red/api/auth/strategies.js b/red/api/auth/strategies.js
index 05a0707b6..e85c8f276 100644
--- a/red/api/auth/strategies.js
+++ b/red/api/auth/strategies.js
@@ -24,6 +24,7 @@ var util = require("util");
 var Tokens = require("./tokens");
 var Users = require("./users");
 var Clients = require("./clients");
+var permissions = require("./permissions");
 
 var bearerStrategy = function (accessToken, done) {
     // is this a valid token?
@@ -79,13 +80,17 @@ var passwordTokenExchange = function(client, username, password, scope, done) {
 
     Users.authenticate(username,password).then(function(user) {
         if (user) {
-            loginAttempts = loginAttempts.filter(function(logEntry) {
-                return logEntry.user !== username;
-            });
-            Tokens.create(username,client.id,scope).then(function(tokens) {
-                // TODO: audit log
-                done(null,tokens.accessToken);
-            });
+            if (permissions.hasPermission(user,scope)) {
+                loginAttempts = loginAttempts.filter(function(logEntry) {
+                    return logEntry.user !== username;
+                });
+                Tokens.create(username,client.id,scope).then(function(tokens) {
+                    // TODO: audit log
+                    done(null,tokens.accessToken);
+                });
+            } else {
+                done(null,false);
+            }
         } else {
             // TODO: audit log
             done(null,false);
diff --git a/red/comms.js b/red/comms.js
index eb20f678c..3460b7631 100644
--- a/red/comms.js
+++ b/red/comms.js
@@ -71,8 +71,8 @@ function start() {
                             handleRemoteSubscription(ws,msg.subscribe);
                         }
                     } else {
-                        var completeConnection = function(user,sendAck) {
-                            if (!user || !Permissions.hasPermission(user,"status.read")) {
+                        var completeConnection = function(userScope,sendAck) {
+                            if (!userScope || !Permissions.hasPermission(userScope,"status.read")) {
                                 ws.close();
                             } else {
                                 pendingAuth = false;
@@ -87,7 +87,7 @@ function start() {
                             Tokens.get(msg.auth).then(function(client) {
                                 if (client) {
                                     Users.get(client.user).then(function(user) {
-                                        completeConnection(user,true);
+                                        completeConnection(client.scope,true);
                                     });
                                 } else {
                                     completeConnection(null,false);
diff --git a/test/red/api/auth/permissions_spec.js b/test/red/api/auth/permissions_spec.js
index 79f48eb5f..69a8f0293 100644
--- a/test/red/api/auth/permissions_spec.js
+++ b/test/red/api/auth/permissions_spec.js
@@ -20,20 +20,24 @@ var permissions = require("../../../../red/api/auth/permissions");
 describe("Auth permissions", function() {
     describe("hasPermission", function() {
         it('a user with no permissions',function() {
-            permissions.hasPermission({},"*").should.be.false;
+            permissions.hasPermission([],"*").should.be.false;
         });
         it('a user with global permissions',function() {
-            permissions.hasPermission({permissions:"*"},"read").should.be.true;
-            permissions.hasPermission({permissions:"*"},"write").should.be.true;
+            permissions.hasPermission("*","read").should.be.true;
+            permissions.hasPermission(["*"],"write").should.be.true;
         });
         it('a user with read permissions',function() {
-            permissions.hasPermission({permissions:"read"},"read").should.be.true;
-            permissions.hasPermission({permissions:"read"},"node.read").should.be.true;
-            permissions.hasPermission({permissions:"read"},"write").should.be.false;
-            permissions.hasPermission({permissions:"read"},"node.write").should.be.false;
+            permissions.hasPermission(["read"],"read").should.be.true;
+            permissions.hasPermission(["read"],"node.read").should.be.true;
+            permissions.hasPermission(["read"],"write").should.be.false;
+            permissions.hasPermission(["read"],"node.write").should.be.false;
         });
         it('a user with foo permissions',function() {
-            permissions.hasPermission({permissions:"foo"},"foo").should.be.false;
+            permissions.hasPermission("foo","foo").should.be.false;
+        });
+        it('an array of permissions', function() {
+            permissions.hasPermission(["*"],["foo.read","foo.write"]).should.be.true;
+            permissions.hasPermission("read",["foo.read","foo.write"]).should.be.false;
         });
     });
 });