src/accesscontrol.js

'use strict';

exports = module.exports = {
    SCOPE_APPS: 'apps',
    SCOPE_CLIENTS: 'clients',
    SCOPE_CLOUDRON: 'cloudron',
    SCOPE_DOMAINS: 'domains',
    SCOPE_MAIL: 'mail',
    SCOPE_PROFILE: 'profile',
    SCOPE_SETTINGS: 'settings',
    SCOPE_USERS: 'users',
    SCOPE_APPSTORE: 'appstore',
    VALID_SCOPES: [ 'apps', 'appstore', 'clients', 'cloudron', 'domains', 'mail', 'profile', 'settings', 'users' ],

    SCOPE_ANY: '*',

    ROLE_OWNER: 'owner',

    validateRoles: validateRoles,

    validateScope: validateScope,
    hasScopes: hasScopes,
    intersectScope: intersectScope,
    canonicalScope: canonicalScope
};

var assert = require('assert'),
    debug = require('debug')('box:accesscontrol'),
    _ = require('underscore');

function canonicalScope(scope) {
    var scopes = scope.split(',');
    scopes = scopes.map(function (s) { return s.replace(exports.SCOPE_ANY, exports.VALID_SCOPES.join(',')); });
    return scopes.join(',');
}

function intersectScope(allowedScope, wantedScope) {
    assert.strictEqual(typeof allowedScope, 'string');
    assert.strictEqual(typeof wantedScope, 'string');

    const allowedScopes = allowedScope.split(',');
    const wantedScopes = wantedScope.split(',');

    if (allowedScopes.indexOf(exports.SCOPE_ANY) !== -1) return canonicalScope(wantedScope);
    if (wantedScopes.indexOf(exports.SCOPE_ANY) !== -1) return canonicalScope(allowedScope);

    return _.intersection(allowedScopes, wantedScopes).join(',');
}

function validateRoles(roles) {
    assert(Array.isArray(roles));

    if (roles.length === 0) return null;
    if (roles.length === 1 && roles[0] === exports.ROLE_OWNER) return null;

    return new Error('Invalid role');
}

function validateScope(scope) {
    assert.strictEqual(typeof scope, 'string');

    if (scope === '') return new Error('Empty scope not allowed');

    // NOTE: this function intentionally does not allow '*'. This is only allowed in the db to allow
    // us not write a migration script every time we add a new scope
    var allValid = scope.split(',').every(function (s) { return exports.VALID_SCOPES.indexOf(s.split(':')[0]) !== -1; });
    if (!allValid) return new Error('Invalid scope. Available scopes are ' + exports.VALID_SCOPES.join(', '));

    return null;
}

// tests if all requiredScopes are attached to the request
function hasScopes(authorizedScopes, requiredScopes) {
    assert(Array.isArray(authorizedScopes), 'Expecting array');
    assert(Array.isArray(requiredScopes), 'Expecting array');

    if (authorizedScopes.indexOf(exports.SCOPE_ANY) !== -1) return null;

    for (var i = 0; i < requiredScopes.length; ++i) {
        const scopeParts = requiredScopes[i].split(':');

        // this allows apps:write if the token has a higher apps scope
        if (authorizedScopes.indexOf(requiredScopes[i]) === -1 && authorizedScopes.indexOf(scopeParts[0]) === -1) {
            debug('scope: missing scope "%s".', requiredScopes[i]);
            return new Error('Missing required scope "' + requiredScopes[i] + '"');
        }
    }

    return null;
}
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`'use strict';`

			`exports = module.exports = {`
			`SCOPE_APPS: 'apps',`
return the scope as part of the user profile send canonical scope in the profile response 2018-05-01 11:32:12 -07:00			`SCOPE_CLIENTS: 'clients',`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`SCOPE_CLOUDRON: 'cloudron',`
return the scope as part of the user profile send canonical scope in the profile response 2018-05-01 11:32:12 -07:00			`SCOPE_DOMAINS: 'domains',`
			`SCOPE_MAIL: 'mail',`
			`SCOPE_PROFILE: 'profile',`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`SCOPE_SETTINGS: 'settings',`
			`SCOPE_USERS: 'users',`
Add an appstore scope for subscription settings 2018-06-17 18:09:13 -07:00			`SCOPE_APPSTORE: 'appstore',`
			`VALID_SCOPES: [ 'apps', 'appstore', 'clients', 'cloudron', 'domains', 'mail', 'profile', 'settings', 'users' ],`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
Remove redundant requireAdmin We already hand out scopes based on the user's access control 2018-04-27 21:47:11 -07:00			`SCOPE_ANY: '*',`

Add rolesJson to groups table This will contain the roles ('role definition') of a group of users. We will internally map these to our API scopes. 2018-06-14 21:12:52 -07:00			`ROLE_OWNER: 'owner',`

			`validateRoles: validateRoles,`

refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`validateScope: validateScope,`
validateRequestedScopes -> hasScopes 2018-06-14 16:32:24 -07:00			`hasScopes: hasScopes,`
normalizeScope -> intersectScope 2018-06-14 16:28:09 -07:00			`intersectScope: intersectScope,`
return the scope as part of the user profile send canonical scope in the profile response 2018-05-01 11:32:12 -07:00			`canonicalScope: canonicalScope`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`};`

			`var assert = require('assert'),`
Set the scope for a token basedon what the user has access to 2018-04-30 21:21:18 -07:00			`debug = require('debug')('box:accesscontrol'),`
			`_ = require('underscore');`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
Return canonical scope in REST responses The '*' scope is purely an implementation detail. It cannot be requested as such. 2018-05-02 12:36:35 -07:00			`function canonicalScope(scope) {`
Add accesscontrol.canonicalScope tests 2018-06-14 20:17:54 -07:00			`var scopes = scope.split(',');`
			`scopes = scopes.map(function (s) { return s.replace(exports.SCOPE_ANY, exports.VALID_SCOPES.join(',')); });`
			`return scopes.join(',');`
Return canonical scope in REST responses The '*' scope is purely an implementation detail. It cannot be requested as such. 2018-05-02 12:36:35 -07:00			`}`

normalizeScope -> intersectScope 2018-06-14 16:28:09 -07:00			`function intersectScope(allowedScope, wantedScope) {`
merge auth.js into accesscontrol.js 2018-05-01 13:34:46 -07:00			`assert.strictEqual(typeof allowedScope, 'string');`
			`assert.strictEqual(typeof wantedScope, 'string');`

			`const allowedScopes = allowedScope.split(',');`
			`const wantedScopes = wantedScope.split(',');`

Return canonical scope in REST responses The '*' scope is purely an implementation detail. It cannot be requested as such. 2018-05-02 12:36:35 -07:00			`if (allowedScopes.indexOf(exports.SCOPE_ANY) !== -1) return canonicalScope(wantedScope);`
			`if (wantedScopes.indexOf(exports.SCOPE_ANY) !== -1) return canonicalScope(allowedScope);`
merge auth.js into accesscontrol.js 2018-05-01 13:34:46 -07:00
			`return _.intersection(allowedScopes, wantedScopes).join(',');`
			`}`

Add rolesJson to groups table This will contain the roles ('role definition') of a group of users. We will internally map these to our API scopes. 2018-06-14 21:12:52 -07:00			`function validateRoles(roles) {`
			`assert(Array.isArray(roles));`

			`if (roles.length === 0) return null;`
			`if (roles.length === 1 && roles[0] === exports.ROLE_OWNER) return null;`

			`return new Error('Invalid role');`
			`}`

refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`function validateScope(scope) {`
			`assert.strictEqual(typeof scope, 'string');`

			`if (scope === '') return new Error('Empty scope not allowed');`

Return canonical scope in REST responses The '*' scope is purely an implementation detail. It cannot be requested as such. 2018-05-02 12:36:35 -07:00			`// NOTE: this function intentionally does not allow '*'. This is only allowed in the db to allow`
			`// us not write a migration script every time we add a new scope`
Allow subscopes We can now have scopes as apps:read, apps:write etc 2018-06-14 16:37:38 -07:00			`var allValid = scope.split(',').every(function (s) { return exports.VALID_SCOPES.indexOf(s.split(':')[0]) !== -1; });`
return the scope as part of the user profile send canonical scope in the profile response 2018-05-01 11:32:12 -07:00			`if (!allValid) return new Error('Invalid scope. Available scopes are ' + exports.VALID_SCOPES.join(', '));`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
			`return null;`
			`}`

validateRequestedScopes -> hasScopes 2018-06-14 16:32:24 -07:00			`// tests if all requiredScopes are attached to the request`
Make hasScopes take an array 2018-06-17 19:54:05 -07:00			`function hasScopes(authorizedScopes, requiredScopes) {`
			`assert(Array.isArray(authorizedScopes), 'Expecting array');`
validateRequestedScopes -> hasScopes 2018-06-14 16:32:24 -07:00			`assert(Array.isArray(requiredScopes), 'Expecting array');`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
Make hasScopes take an array 2018-06-17 19:54:05 -07:00			`if (authorizedScopes.indexOf(exports.SCOPE_ANY) !== -1) return null;`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
validateRequestedScopes -> hasScopes 2018-06-14 16:32:24 -07:00			`for (var i = 0; i < requiredScopes.length; ++i) {`
Allow subscopes We can now have scopes as apps:read, apps:write etc 2018-06-14 16:37:38 -07:00			`const scopeParts = requiredScopes[i].split(':');`

			`// this allows apps:write if the token has a higher apps scope`
Make hasScopes take an array 2018-06-17 19:54:05 -07:00			`if (authorizedScopes.indexOf(requiredScopes[i]) === -1 && authorizedScopes.indexOf(scopeParts[0]) === -1) {`
validateRequestedScopes -> hasScopes 2018-06-14 16:32:24 -07:00			`debug('scope: missing scope "%s".', requiredScopes[i]);`
			`return new Error('Missing required scope "' + requiredScopes[i] + '"');`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`}`
			`}`

			`return null;`
			`}`