Merge pull request #874 from CartoDB/project-auth-api-fallback

add fallback for using metadata fallback
This commit is contained in:
Daniel 2018-02-19 18:55:24 +01:00 committed by GitHub
commit 46587e3cf1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 308 additions and 16 deletions

View File

@ -1,3 +1,5 @@
var _ = require('underscore'); // AUTH_FALLBACK
/** /**
* *
* @param {PgConnection} pgConnection * @param {PgConnection} pgConnection
@ -45,10 +47,10 @@ AuthApi.prototype.authorizedBySigner = function(res, callback) {
}; };
function isValidApiKey(apikey) { function isValidApiKey(apikey) {
return apikey.type !== null && return apikey.type &&
apikey.user !== null && apikey.user &&
apikey.databasePassword !== null && apikey.databasePassword &&
apikey.databaseRole !== null; apikey.databaseRole;
} }
// Check if a request is authorized by api_key // Check if a request is authorized by api_key
@ -68,8 +70,18 @@ AuthApi.prototype.authorizedByAPIKey = function(user, res, callback) {
this.metadataBackend.getApikey(user, apikeyToken, (err, apikey) => { this.metadataBackend.getApikey(user, apikeyToken, (err, apikey) => {
if (err) { if (err) {
if (isNameNotFoundError(err)) {
err.http_status = 404;
}
return callback(err); return callback(err);
} }
//Remove this block when Auth fallback is not used anymore
// AUTH_FALLBACK
apikey.databaseRole = composeUserDatabase(apikey);
apikey.databasePassword = composeDatabasePassword(apikey);
if ( !isValidApiKey(apikey)) { if ( !isValidApiKey(apikey)) {
const error = new Error('Unauthorized'); const error = new Error('Unauthorized');
error.type = 'auth'; error.type = 'auth';
@ -79,7 +91,7 @@ AuthApi.prototype.authorizedByAPIKey = function(user, res, callback) {
return callback(error); return callback(error);
} }
if (apikeyUsername && (apikeyUsername !== res.locals.user)) { if (!usernameMatches(apikeyUsername, res.locals.user)) {
const error = new Error('Forbidden'); const error = new Error('Forbidden');
error.type = 'auth'; error.type = 'auth';
error.subtype = 'api-key-username-mismatch'; error.subtype = 'api-key-username-mismatch';
@ -101,6 +113,46 @@ AuthApi.prototype.authorizedByAPIKey = function(user, res, callback) {
}); });
}; };
//Remove this block when Auth fallback is not used anymore
// AUTH_FALLBACK
function composeUserDatabase (apikey) {
if (shouldComposeUserDatabase(apikey)) {
return _.template(global.environment.postgres_auth_user, apikey);
}
return apikey.databaseRole;
}
//Remove this block when Auth fallback is not used anymore
// AUTH_FALLBACK
function composeDatabasePassword (apikey) {
if (shouldComposeDatabasePassword(apikey)) {
return global.environment.postgres.password;
}
return apikey.databasePassword;
}
//Remove this block when Auth fallback is not used anymore
// AUTH_FALLBACK
function shouldComposeDatabasePassword (apikey) {
return !apikey.databasePassword && global.environment.postgres.password;
}
//Remove this block when Auth fallback is not used anymore
// AUTH_FALLBACK
function shouldComposeUserDatabase(apikey) {
return !apikey.databaseRole && apikey.user_id && global.environment.postgres_auth_user;
}
function isNameNotFoundError (err) {
return err.message && -1 !== err.message.indexOf('name not found');
}
function usernameMatches (apikeyUsername, requestUsername) {
return !(apikeyUsername && (apikeyUsername !== requestUsername));
}
/** /**
* Check access authorization * Check access authorization
* *

View File

@ -22,34 +22,74 @@ PgConnection.prototype.setDBAuth = function(username, params, apikeyType, callba
if (apikeyType === 'master') { if (apikeyType === 'master') {
this.metadataBackend.getMasterApikey(username, (err, apikey) => { this.metadataBackend.getMasterApikey(username, (err, apikey) => {
if (err) { if (err) {
if (isNameNotFoundError(err)) {
err.http_status = 404;
}
return callback(err); return callback(err);
} }
params.dbuser = apikey.databaseRole; params.dbuser = apikey.databaseRole;
params.dbpassword = apikey.databasePassword; params.dbpassword = apikey.databasePassword;
//Remove this block when Auth fallback is not used anymore
// AUTH_FALLBACK
if (!params.dbuser && apikey.user_id && global.environment.postgres_auth_user) {
params.dbuser = _.template(global.environment.postgres_auth_user, apikey);
}
return callback(); return callback();
}); });
} else if (apikeyType === 'regular') { } else if (apikeyType === 'regular') { //Actually it can be any type of api key
this.metadataBackend.getApikey(username, params.api_key, (err, apikey) => { this.metadataBackend.getApikey(username, params.api_key, (err, apikey) => {
if (err) { if (err) {
if (isNameNotFoundError(err)) {
err.http_status = 404;
}
return callback(err); return callback(err);
} }
params.dbuser = apikey.databaseRole; params.dbuser = apikey.databaseRole;
params.dbpassword = apikey.databasePassword; params.dbpassword = apikey.databasePassword;
//Remove this block when Auth fallback is not used anymore
// AUTH_FALLBACK
if (!params.dbuser && apikey.user_id && apikey.type === 'master' && global.environment.postgres_auth_user) {
params.dbuser = _.template(global.environment.postgres_auth_user, apikey);
}
//Remove this block when Auth fallback is not used anymore
// AUTH_FALLBACK
if (!params.dbpassword && global.environment.postgres.password) {
params.dbpassword = global.environment.postgres.password;
}
//Remove this block when Auth fallback is not used anymore
// AUTH_FALLBACK
// If api key not found use default
if (!params.dbuser && !params.dbpassword) {
return this.setDBAuth(username, params, 'default', callback);
}
return callback(); return callback();
}); });
} else if (apikeyType === 'default') { } else if (apikeyType === 'default') {
this.metadataBackend.getApikey(username, 'default_public', (err, apikey) => { this.metadataBackend.getApikey(username, 'default_public', (err, apikey) => {
if (err) { if (err) {
if (isNameNotFoundError(err)) {
err.http_status = 404;
}
return callback(err); return callback(err);
} }
params.dbuser = apikey.databaseRole; params.dbuser = apikey.databaseRole;
params.dbpassword = apikey.databasePassword; params.dbpassword = apikey.databasePassword;
//Remove this block when Auth fallback is not used anymore
// AUTH_FALLBACK
if (!params.dbpassword && global.environment.postgres.password) {
params.dbpassword = global.environment.postgres.password;
}
return callback(); return callback();
}); });
} else { } else {
@ -57,6 +97,11 @@ PgConnection.prototype.setDBAuth = function(username, params, apikeyType, callba
} }
}; };
function isNameNotFoundError (err) {
return err.message && -1 !== err.message.indexOf('name not found');
}
// Set db connection parameters to those for the given username // Set db connection parameters to those for the given username
// //
// @param dbowner cartodb username of database owner, // @param dbowner cartodb username of database owner,

View File

@ -0,0 +1,181 @@
//Remove this file when Auth fallback is not used anymore
// AUTH_FALLBACK
const assert = require('../../support/assert');
const testHelper = require('../../support/test_helper');
const CartodbWindshaft = require('../../../lib/cartodb/server');
const serverOptions = require('../../../lib/cartodb/server_options');
const server = new CartodbWindshaft(serverOptions);
var LayergroupToken = require('../../../lib/cartodb/models/layergroup-token');
function singleLayergroupConfig(sql, cartocss) {
return {
version: '1.7.0',
layers: [
{
type: 'mapnik',
options: {
sql: sql,
cartocss: cartocss,
cartocss_version: '2.3.0'
}
}
]
};
}
function createRequest(layergroup, userHost, apiKey) {
var url = layergroupUrl;
if (apiKey) {
url += '?api_key=' + apiKey;
}
return {
url: url,
method: 'POST',
headers: {
host: userHost || 'localhost',
'Content-Type': 'application/json'
},
data: JSON.stringify(layergroup)
};
}
var layergroupUrl = '/api/v1/map';
var pointSqlMaster = "select * from test_table_private_1";
var pointSqlPublic = "select * from test_table";
var keysToDelete;
describe('authorization fallback', function () {
beforeEach(function () {
keysToDelete = {};
});
afterEach(function (done) {
testHelper.deleteRedisKeys(keysToDelete, done);
});
it("succeed with master", function (done) {
var layergroup = singleLayergroupConfig(pointSqlMaster, '#layer { marker-fill:red; }');
assert.response(server,
createRequest(layergroup, 'user_previous_to_project_auth', '4444'),
{
status: 200
},
function (res, err) {
assert.ifError(err);
var parsed = JSON.parse(res.body);
assert.ok(parsed.layergroupid);
assert.equal(res.headers['x-layergroup-id'], parsed.layergroupid);
keysToDelete['map_cfg|' + LayergroupToken.parse(parsed.layergroupid).token] = 0;
keysToDelete['user:user_previous_to_project_auth:mapviews:global'] = 5;
done();
}
);
});
it("succeed with default - sending default_public", function (done) {
var layergroup = singleLayergroupConfig(pointSqlPublic, '#layer { marker-fill:red; }');
assert.response(server,
createRequest(layergroup, 'user_previous_to_project_auth', 'default_public'),
{
status: 200
},
function (res, err) {
assert.ifError(err);
var parsed = JSON.parse(res.body);
assert.ok(parsed.layergroupid);
assert.equal(res.headers['x-layergroup-id'], parsed.layergroupid);
keysToDelete['map_cfg|' + LayergroupToken.parse(parsed.layergroupid).token] = 0;
keysToDelete['user:user_previous_to_project_auth:mapviews:global'] = 5;
done();
}
);
});
it("succeed with default - sending no api key token", function (done) {
var layergroup = singleLayergroupConfig(pointSqlPublic, '#layer { marker-fill:red; }');
assert.response(server,
createRequest(layergroup, 'user_previous_to_project_auth'),
{
status: 200
},
function (res, err) {
assert.ifError(err);
var parsed = JSON.parse(res.body);
assert.ok(parsed.layergroupid);
assert.equal(res.headers['x-layergroup-id'], parsed.layergroupid);
keysToDelete['map_cfg|' + LayergroupToken.parse(parsed.layergroupid).token] = 0;
keysToDelete['user:user_previous_to_project_auth:mapviews:global'] = 5;
done();
}
);
});
it("succeed with non-existent api key - defaults to default", function (done) {
var layergroup = singleLayergroupConfig(pointSqlPublic, '#layer { marker-fill:red; }');
assert.response(server,
createRequest(layergroup, 'user_previous_to_project_auth', 'THIS-API-KEY-DOESNT-EXIST'),
{
status: 200
},
function (res, err) {
assert.ifError(err);
var parsed = JSON.parse(res.body);
assert.ok(parsed.layergroupid);
assert.equal(res.headers['x-layergroup-id'], parsed.layergroupid);
keysToDelete['map_cfg|' + LayergroupToken.parse(parsed.layergroupid).token] = 0;
keysToDelete['user:user_previous_to_project_auth:mapviews:global'] = 5;
done();
}
);
});
it("fail with default", function (done) {
var layergroup = singleLayergroupConfig(pointSqlMaster, '#layer { marker-fill:red; }');
assert.response(server,
createRequest(layergroup, 'user_previous_to_project_auth', 'default_public'),
{
status: 403
},
function (res, err) {
assert.ifError(err);
done();
}
);
});
it("fail with non-existent api key - defaults to default", function (done) {
var layergroup = singleLayergroupConfig(pointSqlMaster, '#layer { marker-fill:red; }');
assert.response(server,
createRequest(layergroup, 'user_previous_to_project_auth', 'THIS-API-KEY-DOESNT-EXIST'),
{
status: 403
},
function (res, err) {
assert.ifError(err);
done();
}
);
});
});

View File

@ -131,6 +131,19 @@ HMSET rails:users:cartodb250user id ${TESTUSERID} \
map_key 4321 map_key 4321
EOF EOF
# Remove this block when Auth fallback is not used anymore
# AUTH_FALLBACK
# A user to test auth fallback to no api keys mode
cat <<EOF | redis-cli -p ${REDIS_PORT} -n 5
HMSET rails:users:user_previous_to_project_auth id ${TESTUSERID} \
database_name "${TEST_DB}" \
database_host "localhost" \
database_password "${TESTPASS}" \
database_publicuser "${PUBLICUSER}"\
map_key 4444
EOF
cat <<EOF | redis-cli -p ${REDIS_PORT} -n 0 cat <<EOF | redis-cli -p ${REDIS_PORT} -n 0
HSET rails:${TEST_DB}:my_table infowindow "this, that, the other" HSET rails:${TEST_DB}:my_table infowindow "this, that, the other"
HSET rails:${TEST_DB}:test_table_private_1 privacy "0" HSET rails:${TEST_DB}:test_table_private_1 privacy "0"

View File

@ -114,6 +114,7 @@ afterEach(function(done) {
'rails:users:localhost:map_key': true, 'rails:users:localhost:map_key': true,
'rails:users:cartodb250user': true, 'rails:users:cartodb250user': true,
'rails:users:localhost': true, 'rails:users:localhost': true,
'rails:users:user_previous_to_project_auth': true, // AUTH_FALLBACK
'api_keys:localhost:1234': true, 'api_keys:localhost:1234': true,
'api_keys:localhost:default_public': true, 'api_keys:localhost:default_public': true,
'api_keys:cartodb250user:4321': true, 'api_keys:cartodb250user:4321': true,

View File

@ -303,7 +303,7 @@ cartodb-query-tables@0.3.0:
cartodb-redis@cartodb/node-cartodb-redis#project-auth-api: cartodb-redis@cartodb/node-cartodb-redis#project-auth-api:
version "0.15.1" version "0.15.1"
resolved "https://codeload.github.com/cartodb/node-cartodb-redis/tar.gz/2d17fe82d66972edce5c727c679a335845ea5eb0" resolved "https://codeload.github.com/cartodb/node-cartodb-redis/tar.gz/ffc1dccaa5ad433a1582d8e3d5926063bd3851d3"
dependencies: dependencies:
dot "~1.0.2" dot "~1.0.2"
redis-mpool "^0.5.0" redis-mpool "^0.5.0"