Increase unit test coverage of auth code

red/api/auth/clients.js

@@ -17,6 +17,7 @@
 var when = require("when");
 
 var clients = [
+    {id:"node-red-editor",secret:"not_available"},
     {id:"node-red-admin",secret:"not_available"}
 ];
 

red/api/auth/index.js

@@ -22,6 +22,8 @@ var Tokens = require("./tokens");
 var Users = require("./users");
 
 var settings = require("../../settings");
+var log = require("../../log");
+
 
 passport.use(strategies.bearerStrategy.BearerStrategy);
 passport.use(strategies.clientPasswordStrategy.ClientPasswordStrategy);
@@ -32,7 +34,10 @@ var server = oauth2orize.createServer();
 server.exchange(oauth2orize.exchange.password(strategies.passwordTokenExchange));
 
 function init() {
-    Users.init();
+    if (settings.adminAuth) {
+        Users.init(settings.adminAuth);
+        Tokens.init(settings)
+    }
 }
 
 function authenticate(req,res,next) {
@@ -70,6 +75,7 @@ function login(req,res) {
 
 function revoke(req,res) {
     var token = req.body.token;
+    // TODO: audit log
     Tokens.revoke(token).then(function() {
         res.send(200);
     });
@@ -81,7 +87,13 @@ module.exports = {
     ensureClientSecret: ensureClientSecret,
     authenticateClient: authenticateClient,
     getToken: getToken,
-    errorHandler: server.errorHandler(),
+    errorHandler: function(err,req,res,next) {
+        //TODO: standardize json response
+        //TODO: audit log statment
+        //console.log(err.stack);
+        //log.log({level:"audit",type:"auth",msg:err.toString()});
+        return server.errorHandler()(err,req,res,next);
+    },
     login: login,
     revoke: revoke
 }

red/api/auth/permissions.js

@@ -16,8 +16,8 @@
 
 var util = require('util');
 
-var readRE = /^(.*)\.read$/
-var writeRE = /^(.*)\.write$/
+var readRE = /^((.+)\.)?read$/
+var writeRE = /^((.+)\.)?write$/
 
 function needsPermission(perm) {
     return function(req,res,next) {

red/api/auth/strategies.js

@@ -16,10 +16,11 @@
 
 var BearerStrategy = require('passport-http-bearer').Strategy;
 var ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy;
-var passport = require("passport");
 
+var passport = require("passport");
 var crypto = require("crypto");
 var util = require("util");
+
 var Tokens = require("./tokens");
 var Users = require("./users");
 var Clients = require("./clients");
@@ -53,28 +54,52 @@ var clientPasswordStrategy = function(clientId, clientSecret, done) {
 }
 clientPasswordStrategy.ClientPasswordStrategy = new ClientPasswordStrategy(clientPasswordStrategy);
 
-var passwordTokenExchange = function(client, username, password, scope, done) {
-  Users.authenticate(username,password).then(function(user) {
-      if (user) {
-          Tokens.create(username,client.id,scope).then(function(token) {
-              done(null,token);
-          });
-      } else {
-          done(null,false);
-      }
-  });
-}
+var loginAttempts = [];
+var loginSignUpWindow = 36000000; // 10 minutes
 
 
+var passwordTokenExchange = function(client, username, password, scope, done) {
+    var now = Date.now();
+    loginAttempts = loginAttempts.filter(function(logEntry) {
+        return logEntry.time + loginSignUpWindow > now;  
+    });
+    loginAttempts.push({time:now, user:username});
+    var attemptCount = 0;
+    loginAttempts.forEach(function(logEntry) {
+        if (logEntry.user == username) {
+            attemptCount++;
+        }
+    });
+    if (attemptCount > 5) {
+        // TODO: audit log
+        done(new Error("Too many login attempts. Wait 10 minutes and try again"),false);
+        return;
+    }
+    
+    Users.authenticate(username,password).then(function(user) {
+        if (user) {
+            loginAttempts = loginAttempts.filter(function(logEntry) {
+                return logEntry.user !== username;  
+            });
+            Tokens.create(username,client.id,scope).then(function(tokens) {
+                // TODO: audit log
+                done(null,tokens.accessToken);
+            });
+        } else {
+            // TODO: audit log
+            done(null,false);
+        }
+    });
+}
+
 function AnonymousStrategy() {
   passport.Strategy.call(this);
   this.name = 'anon';
 }
 util.inherits(AnonymousStrategy, passport.Strategy);
 AnonymousStrategy.prototype.authenticate = function(req) {
-    var authorization = req.headers['authorization'];
     var self = this;
-    Users.anonymous().then(function(anon) {
+    Users.default().then(function(anon) {
         if (anon) {
             self.success(anon);
         } else {

red/api/auth/tokens.js

@@ -1,44 +0,0 @@
-/**
- * Copyright 2015 IBM Corp.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- **/
-
-var when = require("when");
-
-function generateToken(length) {
-    var c = "ABCDEFGHIJKLMNOPQRSTUZWXYZabcdefghijklmnopqrstuvwxyz1234567890";
-    var token = [];
-    for (var i=0;i<length;i++) {
-        token.push(c[Math.floor(Math.random()*c.length)]);
-    }
-    return token.join("");
-}
-
-var tokens = {}
-
-module.exports = {
-    get: function(token) {
-        return when.resolve(tokens[token]);
-    },
-    create: function(user,client,scope) {
-        var token = generateToken(256);
-        tokens[token] = {user:user,client:client,scope:scope};
-        return when.resolve(token);
-    },
-    revoke: function(token) {
-        delete tokens[token];
-        return when.resolve();
-    }
-    
-};

red/api/auth/tokens/index.js

@@ -0,0 +1,81 @@
+/**
+ * Copyright 2015 IBM Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+var when = require("when");
+var Sessions;
+
+function generateToken(length) {
+    var c = "ABCDEFGHIJKLMNOPQRSTUZWXYZabcdefghijklmnopqrstuvwxyz1234567890";
+    var token = [];
+    for (var i=0;i<length;i++) {
+        token.push(c[Math.floor(Math.random()*c.length)]);
+    }
+    return token.join("");
+}
+
+
+var sessionModule;
+
+function moduleSelector(aSettings) {
+    var toReturn;
+    if (aSettings.sessionStorageModule) {
+        if (typeof aSettings.sessionStorageModule === "string") {
+            // TODO: allow storage modules to be specified by absolute path
+            toReturn = require("./"+aSettings.sessionStorageModule);
+        } else {
+            toReturn = aSettings.sessionStorageModule;
+        }
+    } else {
+        toReturn = require("./localfilesystem");
+    }
+    return toReturn;
+}
+
+module.exports = {
+    init: function(settings) {
+        sessionModule = moduleSelector(settings);
+        sessionModule.init(settings);
+    },
+    get: function(token) {
+        return sessionModule.get(token).then(function(session) {
+            if (session && session.accessExpires < Date.now()) {
+                return sessionModule.delete(token).then(function() {
+                    return null;
+                });
+            } else {
+                return session;
+            }
+        })
+    },
+    create: function(user,client,scope) {
+        var accessToken = generateToken(128);
+        var session = {
+            user:user,
+            client:client,
+            scope:scope,
+            accessToken: accessToken,
+        };
+        return sessionModule.create(accessToken,session).then(function() {
+            return {
+                accessToken: accessToken,
+            }
+        });
+    },
+    revoke: function(token) {
+        return sessionModule.delete(token);
+    }
+}
+

red/api/auth/tokens/localfilesystem.js

@@ -0,0 +1,72 @@
+/**
+ * Copyright 2015 IBM Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+var fs = require('fs');
+var when = require('when');
+var nodeFn = require('when/node/function');
+var fspath = require("path");
+
+var settings;
+var sessionsFile;
+
+var sessions = {};
+
+/** 
+ * Write content to a file using UTF8 encoding.
+ * This forces a fsync before completing to ensure
+ * the write hits disk.
+ */
+function writeFile(path,content) {
+    return when.promise(function(resolve,reject) {
+        var stream = fs.createWriteStream(path);
+        stream.on('open',function(fd) {
+            stream.end(content,'utf8',function() {
+                fs.fsync(fd,resolve);
+            });
+        });
+        stream.on('error',function(err) {
+            reject(err);
+        });
+    });
+}
+
+var api = module.exports = {
+    init: function(_settings) {
+        settings = _settings;
+        var userDir = settings.userDir || process.env.NODE_RED_HOME;
+        sessionsFile = fspath.join(userDir,".sessions.json");
+        
+        try {
+            sessions = JSON.parse(fs.readFileSync(sessionsFile,'utf8'));
+        } catch(err) {
+            sessions = {};
+        }
+        
+        return when.resolve();
+    },
+    
+    get: function(token) {
+        return when.resolve(sessions[token]);
+    },
+    create: function(token,session) {
+        sessions[token] = session;
+        return writeFile(sessionsFile,JSON.stringify(sessions));
+    },
+    delete: function(token) {
+        delete sessions[token];
+        return writeFile(sessionsFile,JSON.stringify(sessions));
+    }
+}

red/api/auth/users.js

@@ -17,8 +17,6 @@
 var when = require("when");
 var crypto = require("crypto");
 var util = require("util");
-
-var settings = require("../../settings");
 /*
     adminAuth: {
         type: "credentials",
@@ -26,7 +24,7 @@ var settings = require("../../settings");
             username: "nol",
             password: "5f4dcc3b5aa765d61d8327deb882cf99" // password
         }],
-        anonymous: {}
+        default: {}
     },
     
     adminAuth: {
@@ -34,85 +32,85 @@ var settings = require("../../settings");
         api: {
             get: function(username) {}
             authenticate: function(username,password) {}
-            anonymous: function() {}
+            default: function() {}
         }
 */
 
 //{username:"nick",password:crypto.createHash('md5').update("foo",'utf8').digest('hex')}
+
 var users = {};
 var passwords = {};
-var anonymousUser = null;
+var defaultUser = null;
+
+function authenticate(username,password) {
+    var user = users[username];
+    if (user) {
+        var pass = crypto.createHash('md5').update(password,'utf8').digest('hex');
+        if (pass == passwords[username]) {
+            return when.resolve(user);
+        }
+    }
+    return when.resolve(null);
+}
+function get(username) {
+    return when.resolve(users[username]);
+}
+function getDefaultUser() {
+    return when.resolve(null);
+}
 
 var api = {
-    get: function(username) {
-        return when.resolve(null);
-    },
-    authenticate: function(username,password) {
-        return when.resolve(null);
-    },
-    anonymous: function() {
-        return when.resolve(null);
-    }
+    get: get,
+    authenticate: authenticate,
+    default: getDefaultUser
 }
-function init() {
+
+function init(config) {
     users = {};
     passwords = {};
-    anonymousUser = null;
-    if (settings.adminAuth) {
-        if (settings.adminAuth.type == "credentials") {
-            if (settings.adminAuth.api) {
-                api.get = settings.adminAuth.api.get || api.get;
-                api.authenticate = settings.adminAuth.api.authenticate || api.authenticate;
-                api.anonymous = settings.adminAuth.api.anonymous || api.anonymous;
+    defaultUser = null;
+    if (config.type == "credentials") {
+        if (config.users) {
+            if (typeof config.users === "function") {
+                api.get = config.users;
             } else {
-                if (settings.adminAuth.users) {
-                    var us = settings.adminAuth.users;
-                    if (!util.isArray(us)) {
-                        us = [us];
-                    }
-                    for (var i=0;i<us.length;i++) {
-                        var u = us[i];
-                        users[u.username] = {
-                            "username":u.username,
-                            "permissions":u.permissions
-                        };
-                        passwords[u.username] = u.password;
-                    }
+                var us = config.users;
+                if (!util.isArray(us)) {
+                    us = [us];
                 }
-                if (settings.adminAuth.anonymous) {
-                    anonymousUser = {
-                        "anonymous": true,
-                        "permissions":settings.adminAuth.anonymous.permissions
-                    }
-                }
-                api = {
-                    get: function(username) {
-                        return when.resolve(users[username]);
-                    },
-                    authenticate: function(username,password) {
-                        return api.get(username).then(function(user) {
-                            if (user) {
-                                var pass = crypto.createHash('md5').update(password,'utf8').digest('hex');
-                                if (pass == passwords[username]) {
-                                    return when.resolve(user);
-                                }
-                            }
-                            return when.resolve(null);
-                        });
-                    },
-                    anonymous: function() {
-                        return when.resolve(anonymousUser);
-                    }
+                for (var i=0;i<us.length;i++) {
+                    var u = us[i];
+                    users[u.username] = {
+                        "username":u.username,
+                        "permissions":u.permissions
+                    };
+                    passwords[u.username] = u.password;
                 }
             }
         }
+        if (config.authenticate && typeof config.authenticate === "function") {
+            api.authenticate = config.authenticate;
+        } else {
+            api.authenticate = authenticate;
+        }
+    }
+    if (config.default) {
+        api.default = function() {
+            return when.resolve({
+                "anonymous": true,
+                "permissions":config.default.permissions
+            });
+        }
+    } else {
+        api.default = getDefaultUser;
     }
 }
+
 module.exports = {
     init: init,
     get: function(username) { return api.get(username) },
     authenticate: function(username,password) { return api.authenticate(username,password) },
-    anonymous: function() { return api.anonymous(); }
+    default: function() { return api.default(); }
 };
 
 

red/api/index.js

@@ -32,6 +32,7 @@ var settings = require("../settings");
 
 var errorHandler = function(err,req,res,next) {
     //TODO: standardize json response
+    console.log(err.stack);
     res.send(400,err.toString());
 };
 
@@ -51,18 +52,19 @@ function init(adminApp) {
     adminApp.use(express.json());
     adminApp.use(express.urlencoded());
     
-    //TODO: all passport references ought to be in ./auth
-    adminApp.use(passport.initialize());
-    
-    adminApp.use(auth.authenticate);
-    adminApp.post("/auth/token",
-        auth.ensureClientSecret,
-        auth.authenticateClient,
-        auth.getToken,
-        auth.errorHandler
-    );
-    adminApp.get("/auth/login",auth.login);
-    adminApp.post("/auth/revoke",auth.revoke);
+    if (settings.adminAuth) {
+        //TODO: all passport references ought to be in ./auth
+        adminApp.use(passport.initialize());
+        adminApp.use(auth.authenticate);
+        adminApp.post("/auth/token",
+            auth.ensureClientSecret,
+            auth.authenticateClient,
+            auth.getToken,
+            auth.errorHandler
+        );
+        adminApp.get("/auth/login",auth.login);
+        adminApp.post("/auth/revoke",auth.revoke);
+    }
 
     // Flows
     adminApp.get("/flows",needsPermission("flows.read"),flows.get);