control API access grants

2018-02-08 13:07:25 +01:00 · 2018-02-08 13:07:25 +01:00 · e1a2ee2381
commit e1a2ee2381
parent b82d26527a
4 changed files with 50 additions and 2 deletions
--- a/lib/cartodb/api/auth_api.js
+++ b/lib/cartodb/api/auth_api.js
@ -81,6 +81,15 @@ AuthApi.prototype.authorizedByAPIKey = function(user, req, callback) {
            return callback(error);
        }

+        if (!apikey.grantsMaps) {
+            const error = new Error('Forbidden');
+            error.type = 'auth';
+            error.subtype = 'api-key-does-not-grant-access';
+            error.http_status = 403;
+
+            return callback(error);
+        }
+
        return callback(null, true);
    });
 };
--- a/test/acceptance/auth/authorization.js
+++ b/test/acceptance/auth/authorization.js
@ -44,7 +44,7 @@ describe('authorization', function() {
        };
        const testClient = new TestClient(mapConfig); //no apikey provided, using default

-        testClient.getLayergroup({response: {status:403}}, function (err, layergroupResult) {
+        testClient.getLayergroup({ response: { status: 403 } }, function (err, layergroupResult) { //TODO 401
            assert.ifError(err);

            assert.ok(layergroupResult.hasOwnProperty('errors'));
@ -54,4 +54,31 @@ describe('authorization', function() {
            testClient.drain(done);
        });
    });
+
+    it('should forbide access to API if API key does not grant access', function (done) {
+        const apikeyToken = 'regular2';
+        const mapConfig = {
+            version: '1.7.0',
+            layers: [
+                {
+                    options: {
+                        sql: 'select * FROM test_table_localhost_regular1',
+                        cartocss: TestClient.CARTOCSS.POINTS,
+                        cartocss_version: '2.3.0'
+                    }
+                }
+            ]
+        };
+        const testClient = new TestClient(mapConfig, apikeyToken);
+
+        testClient.getLayergroup({ response: { status: 403 } }, function (err, layergroupResult) {
+            assert.ifError(err);
+
+            assert.ok(layergroupResult.hasOwnProperty('errors'));
+            assert.equal(layergroupResult.errors.length, 1);
+            assert.ok(layergroupResult.errors[0].match(/Forbidden/), layergroupResult.errors[0]);
+
+            testClient.drain(done);
+        });
+    });
 });
--- a/test/support/prepare_db.sh
+++ b/test/support/prepare_db.sh
@ -171,6 +171,17 @@ cat <<EOF | redis-cli -p ${REDIS_PORT} -n 5
    database_password "regular1"
 EOF

+# API Key Regular 2 no Maps API access, only to check grants permissions to the API
+cat <<EOF | redis-cli -p ${REDIS_PORT} -n 5
+  HMSET api_keys:localhost:regular2 \
+    user "localhost" \
+    type "regular" \
+    grants_sql "true" \
+    grants_maps "false" \
+    database_role "test_windshaft_publicuser" \
+    database_password "public"
+EOF
+
 cat <<EOF | redis-cli -p ${REDIS_PORT} -n 5
  HMSET api_keys:cartodb250user:4321 \
    user "localhost" \
--- a/test/support/test_helper.js
+++ b/test/support/test_helper.js
@ -118,7 +118,8 @@ afterEach(function(done) {
        'api_keys:localhost:default_public': true,
        'api_keys:cartodb250user:4321': true,
        'api_keys:cartodb250user:default_public': true,
-        'api_keys:localhost:regular1': true
+        'api_keys:localhost:regular1': true,
+        'api_keys:localhost:regular2': true,
    };
    var databasesTasks = { 0: 'users', 5: 'meta'};