src/accesscontrol.js

'use strict';

exports = module.exports = {
    SCOPE_APPS_READ: 'apps:read',
    SCOPE_APPS_MANAGE: 'apps:manage',
    SCOPE_CLIENTS: 'clients',
    SCOPE_CLOUDRON: 'cloudron',
    SCOPE_DOMAINS_READ: 'domains:read',
    SCOPE_DOMAINS_MANAGE: 'domains:manage',
    SCOPE_MAIL: 'mail',
    SCOPE_PROFILE: 'profile',
    SCOPE_SETTINGS: 'settings',
    SCOPE_USERS_READ: 'users:read',
    SCOPE_USERS_MANAGE: 'users:manage',
    SCOPE_APPSTORE: 'appstore',
    VALID_SCOPES: [ 'apps', 'appstore', 'clients', 'cloudron', 'domains', 'mail', 'profile', 'settings', 'users' ], // keep this sorted

    SCOPE_ANY: '*',

    ROLE_OWNER: 'owner',

    scopesForRoles: scopesForRoles,

    validateRoles: validateRoles,

    validateScopeString: validateScopeString,
    hasScopes: hasScopes,
    intersectScopes: intersectScopes,
    canonicalScopeString: canonicalScopeString
};

// https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions
const ROLE_DEFINITIONS = {
    'owner': {
        scopes: exports.VALID_SCOPES
    },
    'manage_apps': {
        scopes: [ 'apps', 'domains:read', 'users:read' ]
    },
    'manage_users': {
        scopes: [ 'users' ]
    },
    'manage_domains': {
        scopes: [ 'domains' ]
    }
};

var assert = require('assert'),
    debug = require('debug')('box:accesscontrol'),
    _ = require('underscore');

// returns scopes that does not have wildcards and is sorted
function canonicalScopeString(scope) {
    if (scope === exports.SCOPE_ANY) return exports.VALID_SCOPES.join(',');

    return scope.split(',').sort().join(',');
}

function intersectScopes(allowedScopes, wantedScopes) {
    assert(Array.isArray(allowedScopes), 'Expecting sorted array');
    assert(Array.isArray(wantedScopes), 'Expecting sorted array');

    return _.intersection(allowedScopes, wantedScopes);
}

function validateRoles(roles) {
    assert(Array.isArray(roles));

    for (let role of roles) {
        if (Object.keys(ROLE_DEFINITIONS).indexOf(role) === -1) return new Error(`Invalid role ${role}`);
    }

    return null;
}

function validateScopeString(scope) {
    assert.strictEqual(typeof scope, 'string');

    if (scope === '') return new Error('Empty scope not allowed');

    // NOTE: this function intentionally does not allow '*'. This is only allowed in the db to allow
    // us not write a migration script every time we add a new scope
    var allValid = scope.split(',').every(function (s) { return exports.VALID_SCOPES.indexOf(s.split(':')[0]) !== -1; });
    if (!allValid) return new Error('Invalid scope. Available scopes are ' + exports.VALID_SCOPES.join(', '));

    return null;
}

// tests if all requiredScopes are attached to the request
function hasScopes(authorizedScopes, requiredScopes) {
    assert(Array.isArray(authorizedScopes), 'Expecting array');
    assert(Array.isArray(requiredScopes), 'Expecting array');

    if (authorizedScopes.indexOf(exports.SCOPE_ANY) !== -1) return null;

    for (var i = 0; i < requiredScopes.length; ++i) {
        const scopeParts = requiredScopes[i].split(':');

        // this allows apps:write if the token has a higher apps scope
        if (authorizedScopes.indexOf(requiredScopes[i]) === -1 && authorizedScopes.indexOf(scopeParts[0]) === -1) {
            debug('scope: missing scope "%s".', requiredScopes[i]);
            return new Error('Missing required scope "' + requiredScopes[i] + '"');
        }
    }

    return null;
}

function scopesForRoles(roles) {
    assert(Array.isArray(roles), 'Expecting array');

    var scopes = [ 'profile', 'apps:read' ];

    for (let r of roles) {
        if (!ROLE_DEFINITIONS[r]) continue; // unknown or some legacy role

        scopes = scopes.concat(ROLE_DEFINITIONS[r].scopes);
    }

    return _.uniq(scopes.sort(), true /* isSorted */);
}
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`'use strict';`

			`exports = module.exports = {`
Add app management scope This splits the apps API into those who have just 'read' access and those who have 'manage' access. 2018-06-25 16:45:15 -07:00			`SCOPE_APPS_READ: 'apps:read',`
			`SCOPE_APPS_MANAGE: 'apps:manage',`
return the scope as part of the user profile send canonical scope in the profile response 2018-05-01 11:32:12 -07:00			`SCOPE_CLIENTS: 'clients',`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`SCOPE_CLOUDRON: 'cloudron',`
Add domain management scope This splits the domains API into those who have just 'read' access (i.e without configuration details) and those who have 'manage' access. 2018-06-25 15:12:20 -07:00			`SCOPE_DOMAINS_READ: 'domains:read',`
			`SCOPE_DOMAINS_MANAGE: 'domains:manage',`
return the scope as part of the user profile send canonical scope in the profile response 2018-05-01 11:32:12 -07:00			`SCOPE_MAIL: 'mail',`
			`SCOPE_PROFILE: 'profile',`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`SCOPE_SETTINGS: 'settings',`
Add user management scope This splits the user and groups API into those who have just 'read' access and those who have 'manage' access. 2018-06-25 15:54:24 -07:00			`SCOPE_USERS_READ: 'users:read',`
			`SCOPE_USERS_MANAGE: 'users:manage',`
Add an appstore scope for subscription settings 2018-06-17 18:09:13 -07:00			`SCOPE_APPSTORE: 'appstore',`
Make canonicalScopeString return sorted array 2018-06-27 14:07:25 -07:00			`VALID_SCOPES: [ 'apps', 'appstore', 'clients', 'cloudron', 'domains', 'mail', 'profile', 'settings', 'users' ], // keep this sorted`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
Remove redundant requireAdmin We already hand out scopes based on the user's access control 2018-04-27 21:47:11 -07:00			`SCOPE_ANY: '*',`

Add rolesJson to groups table This will contain the roles ('role definition') of a group of users. We will internally map these to our API scopes. 2018-06-14 21:12:52 -07:00			`ROLE_OWNER: 'owner',`

Map group roles to scopes 2018-06-18 14:21:54 -07:00			`scopesForRoles: scopesForRoles,`

Add rolesJson to groups table This will contain the roles ('role definition') of a group of users. We will internally map these to our API scopes. 2018-06-14 21:12:52 -07:00			`validateRoles: validateRoles,`

validateScope -> validateScopeString 2018-06-17 22:29:17 -07:00			`validateScopeString: validateScopeString,`
validateRequestedScopes -> hasScopes 2018-06-14 16:32:24 -07:00			`hasScopes: hasScopes,`
Make intersectScopes take an array 2018-06-17 22:38:14 -07:00			`intersectScopes: intersectScopes,`
Rename to accesscontrol.canonicalScopeString 2018-06-17 22:42:18 -07:00			`canonicalScopeString: canonicalScopeString`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`};`

Map group roles to scopes 2018-06-18 14:21:54 -07:00			`// https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions`
			`const ROLE_DEFINITIONS = {`
			`'owner': {`
			`scopes: exports.VALID_SCOPES`
			`},`
			`'manage_apps': {`
Add user management scope This splits the user and groups API into those who have just 'read' access and those who have 'manage' access. 2018-06-25 15:54:24 -07:00			`scopes: [ 'apps', 'domains:read', 'users:read' ]`
Map group roles to scopes 2018-06-18 14:21:54 -07:00			`},`
			`'manage_users': {`
			`scopes: [ 'users' ]`
validate role names against existing roles 2018-06-18 17:32:07 -07:00			`},`
			`'manage_domains': {`
			`scopes: [ 'domains' ]`
Map group roles to scopes 2018-06-18 14:21:54 -07:00			`}`
			`};`

refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`var assert = require('assert'),`
Set the scope for a token basedon what the user has access to 2018-04-30 21:21:18 -07:00			`debug = require('debug')('box:accesscontrol'),`
			`_ = require('underscore');`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
Make canonicalScopeString return sorted array 2018-06-27 14:07:25 -07:00			`// returns scopes that does not have wildcards and is sorted`
Rename to accesscontrol.canonicalScopeString 2018-06-17 22:42:18 -07:00			`function canonicalScopeString(scope) {`
Make canonicalScopeString return sorted array 2018-06-27 14:07:25 -07:00			`if (scope === exports.SCOPE_ANY) return exports.VALID_SCOPES.join(',');`

			`return scope.split(',').sort().join(',');`
Return canonical scope in REST responses The '*' scope is purely an implementation detail. It cannot be requested as such. 2018-05-02 12:36:35 -07:00			`}`

Make intersectScopes take an array 2018-06-17 22:38:14 -07:00			`function intersectScopes(allowedScopes, wantedScopes) {`
Make canonicalScopeString return sorted array 2018-06-27 14:07:25 -07:00			`assert(Array.isArray(allowedScopes), 'Expecting sorted array');`
			`assert(Array.isArray(wantedScopes), 'Expecting sorted array');`
merge auth.js into accesscontrol.js 2018-05-01 13:34:46 -07:00
Make intersectScopes take an array 2018-06-17 22:38:14 -07:00			`return _.intersection(allowedScopes, wantedScopes);`
merge auth.js into accesscontrol.js 2018-05-01 13:34:46 -07:00			`}`

Add rolesJson to groups table This will contain the roles ('role definition') of a group of users. We will internally map these to our API scopes. 2018-06-14 21:12:52 -07:00			`function validateRoles(roles) {`
			`assert(Array.isArray(roles));`

validate role names against existing roles 2018-06-18 17:32:07 -07:00			`for (let role of roles) {`
			if (Object.keys(ROLE_DEFINITIONS).indexOf(role) === -1) return new Error(`Invalid role ${role}`);
			`}`
Add rolesJson to groups table This will contain the roles ('role definition') of a group of users. We will internally map these to our API scopes. 2018-06-14 21:12:52 -07:00
validate role names against existing roles 2018-06-18 17:32:07 -07:00			`return null;`
Add rolesJson to groups table This will contain the roles ('role definition') of a group of users. We will internally map these to our API scopes. 2018-06-14 21:12:52 -07:00			`}`

validateScope -> validateScopeString 2018-06-17 22:29:17 -07:00			`function validateScopeString(scope) {`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`assert.strictEqual(typeof scope, 'string');`

			`if (scope === '') return new Error('Empty scope not allowed');`

Return canonical scope in REST responses The '*' scope is purely an implementation detail. It cannot be requested as such. 2018-05-02 12:36:35 -07:00			`// NOTE: this function intentionally does not allow '*'. This is only allowed in the db to allow`
			`// us not write a migration script every time we add a new scope`
Allow subscopes We can now have scopes as apps:read, apps:write etc 2018-06-14 16:37:38 -07:00			`var allValid = scope.split(',').every(function (s) { return exports.VALID_SCOPES.indexOf(s.split(':')[0]) !== -1; });`
return the scope as part of the user profile send canonical scope in the profile response 2018-05-01 11:32:12 -07:00			`if (!allValid) return new Error('Invalid scope. Available scopes are ' + exports.VALID_SCOPES.join(', '));`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
			`return null;`
			`}`

validateRequestedScopes -> hasScopes 2018-06-14 16:32:24 -07:00			`// tests if all requiredScopes are attached to the request`
Make hasScopes take an array 2018-06-17 19:54:05 -07:00			`function hasScopes(authorizedScopes, requiredScopes) {`
			`assert(Array.isArray(authorizedScopes), 'Expecting array');`
validateRequestedScopes -> hasScopes 2018-06-14 16:32:24 -07:00			`assert(Array.isArray(requiredScopes), 'Expecting array');`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
Make hasScopes take an array 2018-06-17 19:54:05 -07:00			`if (authorizedScopes.indexOf(exports.SCOPE_ANY) !== -1) return null;`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00
validateRequestedScopes -> hasScopes 2018-06-14 16:32:24 -07:00			`for (var i = 0; i < requiredScopes.length; ++i) {`
Allow subscopes We can now have scopes as apps:read, apps:write etc 2018-06-14 16:37:38 -07:00			`const scopeParts = requiredScopes[i].split(':');`

			`// this allows apps:write if the token has a higher apps scope`
Make hasScopes take an array 2018-06-17 19:54:05 -07:00			`if (authorizedScopes.indexOf(requiredScopes[i]) === -1 && authorizedScopes.indexOf(scopeParts[0]) === -1) {`
validateRequestedScopes -> hasScopes 2018-06-14 16:32:24 -07:00			`debug('scope: missing scope "%s".', requiredScopes[i]);`
			`return new Error('Missing required scope "' + requiredScopes[i] + '"');`
refactor scopes into accesscontrol.js this will be our authorization layer for oauth and non-oauth tokens. 2018-04-26 15:54:53 -07:00			`}`
			`}`

			`return null;`
			`}`
Map group roles to scopes 2018-06-18 14:21:54 -07:00
			`function scopesForRoles(roles) {`
			`assert(Array.isArray(roles), 'Expecting array');`

Add app management scope This splits the apps API into those who have just 'read' access and those who have 'manage' access. 2018-06-25 16:45:15 -07:00			`var scopes = [ 'profile', 'apps:read' ];`
Map group roles to scopes 2018-06-18 14:21:54 -07:00
			`for (let r of roles) {`
			`if (!ROLE_DEFINITIONS[r]) continue; // unknown or some legacy role`

			`scopes = scopes.concat(ROLE_DEFINITIONS[r].scopes);`
			`}`

			`return _.uniq(scopes.sort(), true /* isSorted */);`
			`}`