src/accesscontrol.js

'use strict';

exports = module.exports = {
    SCOPE_APPS_READ: 'apps:read',
    SCOPE_APPS_MANAGE: 'apps:manage',
    SCOPE_CLIENTS: 'clients',
    SCOPE_CLOUDRON: 'cloudron',
    SCOPE_DOMAINS_READ: 'domains:read',
    SCOPE_DOMAINS_MANAGE: 'domains:manage',
    SCOPE_MAIL: 'mail',
    SCOPE_PROFILE: 'profile',
    SCOPE_SETTINGS: 'settings',
    SCOPE_USERS_READ: 'users:read',
    SCOPE_USERS_MANAGE: 'users:manage',
    SCOPE_APPSTORE: 'appstore',
    VALID_SCOPES: [ 'apps', 'appstore', 'clients', 'cloudron', 'domains', 'mail', 'profile', 'settings', 'users' ], // keep this sorted

    SCOPE_ANY: '*',

    validateScopeString: validateScopeString,
    hasScopes: hasScopes,
    canonicalScopeString: canonicalScopeString,
    intersectScopes: intersectScopes,
    validateToken: validateToken,
    scopesForUser: scopesForUser
};

var assert = require('assert'),
    DatabaseError = require('./databaseerror.js'),
    debug = require('debug')('box:accesscontrol'),
    settings = require('./settings.js'),
    tokendb = require('./tokendb.js'),
    users = require('./users.js'),
    UsersError = users.UsersError,
    _ = require('underscore');

// returns scopes that does not have wildcards and is sorted
function canonicalScopeString(scope) {
    if (scope === exports.SCOPE_ANY) return exports.VALID_SCOPES.join(',');

    return scope.split(',').sort().join(',');
}

function intersectScopes(allowedScopes, wantedScopes) {
    assert(Array.isArray(allowedScopes), 'Expecting sorted array');
    assert(Array.isArray(wantedScopes), 'Expecting sorted array');

    if (_.isEqual(allowedScopes, wantedScopes)) return allowedScopes; // quick path

    let wantedScopesMap = new Map();
    let results = [];

    // make a map of scope -> [ subscopes ]
    for (let w of wantedScopes) {
        let parts = w.split(':');
        let subscopes = wantedScopesMap.get(parts[0]) || new Set();
        subscopes.add(parts[1] || '*');
        wantedScopesMap.set(parts[0], subscopes);
    }

    for (let a of allowedScopes) {
        let parts = a.split(':');
        let as = parts[1] || '*';

        let subscopes = wantedScopesMap.get(parts[0]);
        if (!subscopes) continue;

        if (subscopes.has('*') || subscopes.has(as)) {
            results.push(a);
        } else if (as === '*') {
            results = results.concat(Array.from(subscopes).map(function (ss) { return `${a}:${ss}`; }));
        }
    }

    return results;
}

function validateScopeString(scope) {
    assert.strictEqual(typeof scope, 'string');

    if (scope === '') return new Error('Empty scope not allowed');

    // NOTE: this function intentionally does not allow '*'. This is only allowed in the db to allow
    // us not write a migration script every time we add a new scope
    var allValid = scope.split(',').every(function (s) { return exports.VALID_SCOPES.indexOf(s.split(':')[0]) !== -1; });
    if (!allValid) return new Error('Invalid scope. Available scopes are ' + exports.VALID_SCOPES.join(', '));

    return null;
}

// tests if all requiredScopes are attached to the request
function hasScopes(authorizedScopes, requiredScopes) {
    assert(Array.isArray(authorizedScopes), 'Expecting array');
    assert(Array.isArray(requiredScopes), 'Expecting array');

    if (authorizedScopes.indexOf(exports.SCOPE_ANY) !== -1) return null;

    for (var i = 0; i < requiredScopes.length; ++i) {
        const scopeParts = requiredScopes[i].split(':');

        // this allows apps:write if the token has a higher apps scope
        if (authorizedScopes.indexOf(requiredScopes[i]) === -1 && authorizedScopes.indexOf(scopeParts[0]) === -1) {
            debug('scope: missing scope "%s".', requiredScopes[i]);
            return new Error('Missing required scope "' + requiredScopes[i] + '"');
        }
    }

    return null;
}

function scopesForUser(user, callback) {
    assert.strictEqual(typeof user, 'object');
    assert.strictEqual(typeof callback, 'function');

    if (user.admin) return callback(null, exports.VALID_SCOPES);

    settings.getSpacesConfig(function (error, spaces) {
        if (error) return callback(error);

        callback(null, spaces.enabled ? [ 'profile', 'apps', 'domains:read', 'users:read' ] : [ 'profile', 'apps:read' ]);
    });
}

function validateToken(accessToken, callback) {
    assert.strictEqual(typeof accessToken, 'string');
    assert.strictEqual(typeof callback, 'function');

    tokendb.get(accessToken, function (error, token) {
        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(null, null /* user */, 'Invalid Token'); // will end up as a 401
        if (error) return callback(error); // this triggers 'internal error' in passport

        users.get(token.identifier, function (error, user) {
            if (error && error.reason === UsersError.NOT_FOUND) return callback(null, null /* user */, 'Invalid Token'); // will end up as a 401
            if (error) return callback(error);

            scopesForUser(user, function (error, userScopes) {
                if (error) return callback(error);

                var authorizedScopes = intersectScopes(userScopes, token.scope.split(','));
                const skipPasswordVerification = token.clientId === 'cid-sdk' || token.clientId === 'cid-cli'; // these clients do not require password checks unlike UI
                var info = { authorizedScopes: authorizedScopes, skipPasswordVerification: skipPasswordVerification }; // ends up in req.authInfo

                callback(null, user, info);
            });
        });
    });
}
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`'use strict';`

			`exports = module.exports = {`
Add app management scope This splits the apps API into those who have just 'read' access and those who have 'manage' access. 2018-06-25 16:45:15 -07:00			`SCOPE_APPS_READ: 'apps:read',`
			`SCOPE_APPS_MANAGE: 'apps:manage',`
return the scope as part of the user profile send canonical scope in the profile response 2018-05-01 11:32:12 -07:00			`SCOPE_CLIENTS: 'clients',`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`SCOPE_CLOUDRON: 'cloudron',`
Add domain management scope This splits the domains API into those who have just 'read' access (i.e without configuration details) and those who have 'manage' access. 2018-06-25 15:12:20 -07:00			`SCOPE_DOMAINS_READ: 'domains:read',`
			`SCOPE_DOMAINS_MANAGE: 'domains:manage',`
return the scope as part of the user profile send canonical scope in the profile response 2018-05-01 11:32:12 -07:00			`SCOPE_MAIL: 'mail',`
			`SCOPE_PROFILE: 'profile',`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`SCOPE_SETTINGS: 'settings',`
Add user management scope This splits the user and groups API into those who have just 'read' access and those who have 'manage' access. 2018-06-25 15:54:24 -07:00			`SCOPE_USERS_READ: 'users:read',`
			`SCOPE_USERS_MANAGE: 'users:manage',`
Add an appstore scope for subscription settings 2018-06-17 18:09:13 -07:00			`SCOPE_APPSTORE: 'appstore',`
Make canonicalScopeString return sorted array 2018-06-27 14:07:25 -07:00			`VALID_SCOPES: [ 'apps', 'appstore', 'clients', 'cloudron', 'domains', 'mail', 'profile', 'settings', 'users' ], // keep this sorted`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
Remove redundant requireAdmin We already hand out scopes based on the user's access control 2018-04-27 21:47:11 -07:00			`SCOPE_ANY: '*',`

validateScope -> validateScopeString 2018-06-17 22:29:17 -07:00			`validateScopeString: validateScopeString,`
validateRequestedScopes -> hasScopes 2018-06-14 16:32:24 -07:00			`hasScopes: hasScopes,`
When issuing token intersect with the existing user roles Also: * Move token validation to accesscontrol.js * Use clients.addTokenByUserId everywhere 2018-06-27 23:17:04 -07:00			`canonicalScopeString: canonicalScopeString,`
Make intersectScopes take an array 2018-06-17 22:38:14 -07:00			`intersectScopes: intersectScopes,`
When issuing token intersect with the existing user roles Also: * Move token validation to accesscontrol.js * Use clients.addTokenByUserId everywhere 2018-06-27 23:17:04 -07:00			`validateToken: validateToken,`
Revert role support 2018-07-26 10:20:19 -07:00			`scopesForUser: scopesForUser`
Map group roles to scopes 2018-06-18 14:21:54 -07:00			`};`

refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`var assert = require('assert'),`
When issuing token intersect with the existing user roles Also: * Move token validation to accesscontrol.js * Use clients.addTokenByUserId everywhere 2018-06-27 23:17:04 -07:00			`DatabaseError = require('./databaseerror.js'),`
Set the scope for a token basedon what the user has access to 2018-04-30 21:21:18 -07:00			`debug = require('debug')('box:accesscontrol'),`
spaces: verify app ownership in app management routes 2018-08-03 17:21:24 -07:00			`settings = require('./settings.js'),`
When issuing token intersect with the existing user roles Also: * Move token validation to accesscontrol.js * Use clients.addTokenByUserId everywhere 2018-06-27 23:17:04 -07:00			`tokendb = require('./tokendb.js'),`
			`users = require('./users.js'),`
			`UsersError = users.UsersError,`
Set the scope for a token basedon what the user has access to 2018-04-30 21:21:18 -07:00			`_ = require('underscore');`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
Make canonicalScopeString return sorted array 2018-06-27 14:07:25 -07:00			`// returns scopes that does not have wildcards and is sorted`
Rename to accesscontrol.canonicalScopeString 2018-06-17 22:42:18 -07:00			`function canonicalScopeString(scope) {`
Make canonicalScopeString return sorted array 2018-06-27 14:07:25 -07:00			`if (scope === exports.SCOPE_ANY) return exports.VALID_SCOPES.join(',');`

			`return scope.split(',').sort().join(',');`
Return canonical scope in REST responses The '*' scope is purely an implementation detail. It cannot be requested as such. 2018-05-02 12:36:35 -07:00			`}`

Make intersectScopes take an array 2018-06-17 22:38:14 -07:00			`function intersectScopes(allowedScopes, wantedScopes) {`
Make canonicalScopeString return sorted array 2018-06-27 14:07:25 -07:00			`assert(Array.isArray(allowedScopes), 'Expecting sorted array');`
			`assert(Array.isArray(wantedScopes), 'Expecting sorted array');`
merge auth.js into accesscontrol.js 2018-05-01 13:34:46 -07:00
When issuing token intersect with the existing user roles Also: * Move token validation to accesscontrol.js * Use clients.addTokenByUserId everywhere 2018-06-27 23:17:04 -07:00			`if (_.isEqual(allowedScopes, wantedScopes)) return allowedScopes; // quick path`

Fix accesscontrol.intersectScopes 2018-06-27 18:08:38 -07:00			`let wantedScopesMap = new Map();`
			`let results = [];`

			`// make a map of scope -> [ subscopes ]`
			`for (let w of wantedScopes) {`
			`let parts = w.split(':');`
			`let subscopes = wantedScopesMap.get(parts[0]) \|\| new Set();`
			`subscopes.add(parts[1] \|\| '*');`
			`wantedScopesMap.set(parts[0], subscopes);`
			`}`

			`for (let a of allowedScopes) {`
			`let parts = a.split(':');`
			`let as = parts[1] \|\| '*';`

			`let subscopes = wantedScopesMap.get(parts[0]);`
			`if (!subscopes) continue;`

			`if (subscopes.has('*') \|\| subscopes.has(as)) {`
			`results.push(a);`
			`} else if (as === '*') {`
			results = results.concat(Array.from(subscopes).map(function (ss) { return `${a}:${ss}`; }));
			`}`
			`}`

			`return results;`
merge auth.js into accesscontrol.js 2018-05-01 13:34:46 -07:00			`}`

validateScope -> validateScopeString 2018-06-17 22:29:17 -07:00			`function validateScopeString(scope) {`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`assert.strictEqual(typeof scope, 'string');`

			`if (scope === '') return new Error('Empty scope not allowed');`

Return canonical scope in REST responses The '*' scope is purely an implementation detail. It cannot be requested as such. 2018-05-02 12:36:35 -07:00			`// NOTE: this function intentionally does not allow '*'. This is only allowed in the db to allow`
			`// us not write a migration script every time we add a new scope`
Allow subscopes We can now have scopes as apps:read, apps:write etc 2018-06-14 16:37:38 -07:00			`var allValid = scope.split(',').every(function (s) { return exports.VALID_SCOPES.indexOf(s.split(':')[0]) !== -1; });`
return the scope as part of the user profile send canonical scope in the profile response 2018-05-01 11:32:12 -07:00			`if (!allValid) return new Error('Invalid scope. Available scopes are ' + exports.VALID_SCOPES.join(', '));`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
			`return null;`
			`}`

validateRequestedScopes -> hasScopes 2018-06-14 16:32:24 -07:00			`// tests if all requiredScopes are attached to the request`
Make hasScopes take an array 2018-06-17 19:54:05 -07:00			`function hasScopes(authorizedScopes, requiredScopes) {`
			`assert(Array.isArray(authorizedScopes), 'Expecting array');`
validateRequestedScopes -> hasScopes 2018-06-14 16:32:24 -07:00			`assert(Array.isArray(requiredScopes), 'Expecting array');`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
Make hasScopes take an array 2018-06-17 19:54:05 -07:00			`if (authorizedScopes.indexOf(exports.SCOPE_ANY) !== -1) return null;`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
validateRequestedScopes -> hasScopes 2018-06-14 16:32:24 -07:00			`for (var i = 0; i < requiredScopes.length; ++i) {`
Allow subscopes We can now have scopes as apps:read, apps:write etc 2018-06-14 16:37:38 -07:00			`const scopeParts = requiredScopes[i].split(':');`

			`// this allows apps:write if the token has a higher apps scope`
Make hasScopes take an array 2018-06-17 19:54:05 -07:00			`if (authorizedScopes.indexOf(requiredScopes[i]) === -1 && authorizedScopes.indexOf(scopeParts[0]) === -1) {`
validateRequestedScopes -> hasScopes 2018-06-14 16:32:24 -07:00			`debug('scope: missing scope "%s".', requiredScopes[i]);`
			`return new Error('Missing required scope "' + requiredScopes[i] + '"');`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`}`
			`}`

			`return null;`
			`}`
Map group roles to scopes 2018-06-18 14:21:54 -07:00
make scopesForUser async 2018-08-02 19:07:33 -07:00			`function scopesForUser(user, callback) {`
			`assert.strictEqual(typeof user, 'object');`
			`assert.strictEqual(typeof callback, 'function');`

spaces: verify app ownership in app management routes 2018-08-03 17:21:24 -07:00			`if (user.admin) return callback(null, exports.VALID_SCOPES);`

			`settings.getSpacesConfig(function (error, spaces) {`
			`if (error) return callback(error);`

			`callback(null, spaces.enabled ? [ 'profile', 'apps', 'domains:read', 'users:read' ] : [ 'profile', 'apps:read' ]);`
			`});`
When issuing token intersect with the existing user roles Also: * Move token validation to accesscontrol.js * Use clients.addTokenByUserId everywhere 2018-06-27 23:17:04 -07:00			`}`

			`function validateToken(accessToken, callback) {`
			`assert.strictEqual(typeof accessToken, 'string');`
			`assert.strictEqual(typeof callback, 'function');`

			`tokendb.get(accessToken, function (error, token) {`
			`if (error && error.reason === DatabaseError.NOT_FOUND) return callback(null, null /* user */, 'Invalid Token'); // will end up as a 401`
			`if (error) return callback(error); // this triggers 'internal error' in passport`

Revert role support 2018-07-26 10:20:19 -07:00			`users.get(token.identifier, function (error, user) {`
When issuing token intersect with the existing user roles Also: * Move token validation to accesscontrol.js * Use clients.addTokenByUserId everywhere 2018-06-27 23:17:04 -07:00			`if (error && error.reason === UsersError.NOT_FOUND) return callback(null, null /* user */, 'Invalid Token'); // will end up as a 401`
			`if (error) return callback(error);`

make scopesForUser async 2018-08-02 19:07:33 -07:00			`scopesForUser(user, function (error, userScopes) {`
			`if (error) return callback(error);`

			`var authorizedScopes = intersectScopes(userScopes, token.scope.split(','));`
			`const skipPasswordVerification = token.clientId === 'cid-sdk' \|\| token.clientId === 'cid-cli'; // these clients do not require password checks unlike UI`
			`var info = { authorizedScopes: authorizedScopes, skipPasswordVerification: skipPasswordVerification }; // ends up in req.authInfo`
When issuing token intersect with the existing user roles Also: * Move token validation to accesscontrol.js * Use clients.addTokenByUserId everywhere 2018-06-27 23:17:04 -07:00
make scopesForUser async 2018-08-02 19:07:33 -07:00			`callback(null, user, info);`
			`});`
When issuing token intersect with the existing user roles Also: * Move token validation to accesscontrol.js * Use clients.addTokenByUserId everywhere 2018-06-27 23:17:04 -07:00			`});`
			`});`
Map group roles to scopes 2018-06-18 14:21:54 -07:00			`}`