diff --git a/src/appdb.js b/src/appdb.js index 1b93d7a7e..ed85ec615 100644 --- a/src/appdb.js +++ b/src/appdb.js @@ -59,11 +59,11 @@ var assert = require('assert'), var APPS_FIELDS = [ 'id', 'appStoreId', 'installationState', 'installationProgress', 'runState', 'health', 'containerId', 'manifestJson', 'httpPort', 'location', 'dnsRecordId', - 'accessRestriction', 'lastBackupId', 'lastBackupConfigJson', 'oldConfigJson' ].join(','); + 'accessRestriction', 'lastBackupId', 'lastBackupConfigJson', 'oldConfigJson', 'oauthProxy' ].join(','); var APPS_FIELDS_PREFIXED = [ 'apps.id', 'apps.appStoreId', 'apps.installationState', 'apps.installationProgress', 'apps.runState', 'apps.health', 'apps.containerId', 'apps.manifestJson', 'apps.httpPort', 'apps.location', 'apps.dnsRecordId', - 'apps.accessRestriction', 'apps.lastBackupId', 'apps.lastBackupConfigJson', 'apps.oldConfigJson' ].join(','); + 'apps.accessRestriction', 'apps.lastBackupId', 'apps.lastBackupConfigJson', 'apps.oldConfigJson', 'apps.oauthProxy' ].join(','); var PORT_BINDINGS_FIELDS = [ 'hostPort', 'environmentVariable', 'appId' ].join(','); @@ -176,7 +176,7 @@ function getAll(callback) { }); } -function add(id, appStoreId, manifest, location, portBindings, accessRestriction, callback) { +function add(id, appStoreId, manifest, location, portBindings, accessRestriction, oauthProxy, callback) { assert.strictEqual(typeof id, 'string'); assert.strictEqual(typeof appStoreId, 'string'); assert(manifest && typeof manifest === 'object'); @@ -184,6 +184,7 @@ function add(id, appStoreId, manifest, location, portBindings, accessRestriction assert.strictEqual(typeof location, 'string'); assert.strictEqual(typeof portBindings, 'object'); assert.strictEqual(typeof accessRestriction, 'string'); + assert.strictEqual(typeof oauthProxy, 'boolean'); assert.strictEqual(typeof callback, 'function'); portBindings = portBindings || { }; @@ -192,8 +193,8 @@ function add(id, appStoreId, manifest, location, portBindings, accessRestriction var queries = [ ]; queries.push({ - query: 'INSERT INTO apps (id, appStoreId, manifestJson, installationState, location, accessRestriction) VALUES (?, ?, ?, ?, ?, ?)', - args: [ id, appStoreId, manifestJson, exports.ISTATE_PENDING_INSTALL, location, accessRestriction ] + query: 'INSERT INTO apps (id, appStoreId, manifestJson, installationState, location, accessRestriction, oauthProxy) VALUES (?, ?, ?, ?, ?, ?, ?)', + args: [ id, appStoreId, manifestJson, exports.ISTATE_PENDING_INSTALL, location, accessRestriction, oauthProxy ] }); Object.keys(portBindings).forEach(function (env) { diff --git a/src/apps.js b/src/apps.js index d5c2199c1..7435444e6 100644 --- a/src/apps.js +++ b/src/apps.js @@ -281,13 +281,14 @@ function purchase(appStoreId, callback) { }); } -function install(appId, appStoreId, manifest, location, portBindings, accessRestriction, icon, callback) { +function install(appId, appStoreId, manifest, location, portBindings, accessRestriction, oauthProxy, icon, callback) { assert.strictEqual(typeof appId, 'string'); assert.strictEqual(typeof appStoreId, 'string'); assert(manifest && typeof manifest === 'object'); assert.strictEqual(typeof location, 'string'); assert.strictEqual(typeof portBindings, 'object'); assert.strictEqual(typeof accessRestriction, 'string'); + assert.strictEqual(typeof oauthProxy, 'boolean'); assert(!icon || typeof icon === 'string'); assert.strictEqual(typeof callback, 'function'); @@ -319,7 +320,7 @@ function install(appId, appStoreId, manifest, location, portBindings, accessRest purchase(appStoreId, function (error) { if (error) return callback(error); - appdb.add(appId, appStoreId, manifest, location.toLowerCase(), portBindings, accessRestriction, function (error) { + appdb.add(appId, appStoreId, manifest, location.toLowerCase(), portBindings, accessRestriction, oauthProxy, function (error) { if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(getDuplicateErrorDetails(location.toLowerCase(), portBindings, error)); if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error)); @@ -330,11 +331,12 @@ function install(appId, appStoreId, manifest, location, portBindings, accessRest }); } -function configure(appId, location, portBindings, accessRestriction, callback) { +function configure(appId, location, portBindings, accessRestriction, oauthProxy, callback) { assert.strictEqual(typeof appId, 'string'); assert.strictEqual(typeof location, 'string'); assert.strictEqual(typeof portBindings, 'object'); assert.strictEqual(typeof accessRestriction, 'string'); + assert.strictEqual(typeof oauthProxy, 'boolean'); assert.strictEqual(typeof callback, 'function'); var error = validateHostname(location, config.fqdn()); @@ -353,12 +355,14 @@ function configure(appId, location, portBindings, accessRestriction, callback) { var values = { location: location.toLowerCase(), accessRestriction: accessRestriction, + oauthProxy: oauthProxy, portBindings: portBindings, oldConfig: { location: app.location, accessRestriction: app.accessRestriction, - portBindings: app.portBindings + portBindings: app.portBindings, + oauthProxy: app.oauthProxy } }; @@ -512,6 +516,7 @@ function restore(appId, callback) { oldConfig: { location: app.location, accessRestriction: app.accessRestriction, + oauthProxy: app.oauthProxy, portBindings: app.portBindings, manifest: app.manifest } @@ -759,7 +764,8 @@ function backupApp(app, addonsToBackup, callback) { manifest: app.manifest, location: app.location, portBindings: app.portBindings, - accessRestriction: app.accessRestriction + accessRestriction: app.accessRestriction, + oauthProxy: app.oauthProxy }; backupFunction = createNewBackup.bind(null, app, addonsToBackup); diff --git a/src/apptask.js b/src/apptask.js index 7b67d9196..b28c79d9f 100644 --- a/src/apptask.js +++ b/src/apptask.js @@ -109,7 +109,7 @@ function configureNginx(app, callback) { if (error) return callback(error); var sourceDir = path.resolve(__dirname, '..'); - var endpoint = app.accessRestriction ? 'oauthproxy' : 'app'; + var endpoint = app.oauthProxy ? 'oauthproxy' : 'app'; var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, { sourceDir: sourceDir, adminOrigin: config.adminOrigin(), vhost: config.appFqdn(app.location), port: freePort, endpoint: endpoint }); var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, app.id + '.conf'); @@ -303,13 +303,13 @@ function allocateOAuthProxyCredentials(app, callback) { assert.strictEqual(typeof app, 'object'); assert.strictEqual(typeof callback, 'function'); - if (!app.accessRestriction) return callback(null); + if (!app.oauthProxy) return callback(null); var appId = 'proxy-' + app.id; var id = 'cid-proxy-' + uuid.v4(); var clientSecret = hat(256); var redirectURI = 'https://' + config.appFqdn(app.location); - var scope = 'profile,' + app.accessRestriction; + var scope = 'profile,roleUser'; clientdb.add(id, appId, clientSecret, redirectURI, scope, callback); } diff --git a/src/routes/apps.js b/src/routes/apps.js index 3d85901e1..e2c4c38bf 100644 --- a/src/routes/apps.js +++ b/src/routes/apps.js @@ -43,6 +43,7 @@ function removeInternalAppFields(app) { health: app.health, location: app.location, accessRestriction: app.accessRestriction, + oauthProxy: app.oauthProxy, lastBackupId: app.lastBackupId, manifest: app.manifest, portBindings: app.portBindings, @@ -114,14 +115,15 @@ function installApp(req, res, next) { if (typeof data.location !== 'string') return next(new HttpError(400, 'location is required')); if (('portBindings' in data) && typeof data.portBindings !== 'object') return next(new HttpError(400, 'portBindings must be an object')); if (typeof data.accessRestriction !== 'string') return next(new HttpError(400, 'accessRestriction is required')); + if (typeof data.oauthProxy !== 'boolean') return next(new HttpError(400, 'oauthProxy must be a boolean')); if ('icon' in data && typeof data.icon !== 'string') return next(new HttpError(400, 'icon is not a string')); // allow tests to provide an appId for testing var appId = (process.env.BOX_ENV === 'test' && typeof data.appId === 'string') ? data.appId : uuid.v4(); - debug('Installing app id:%s storeid:%s loc:%s port:%j restrict:%s manifest:%j', appId, data.appStoreId, data.location, data.portBindings, data.accessRestriction, data.manifest); + debug('Installing app id:%s storeid:%s loc:%s port:%j restrict:%s oauthproxy:%s manifest:%j', appId, data.appStoreId, data.location, data.portBindings, data.accessRestriction, data.oauthProxy, data.manifest); - apps.install(appId, data.appStoreId, data.manifest, data.location, data.portBindings || null, data.accessRestriction, data.icon || null, function (error) { + apps.install(appId, data.appStoreId, data.manifest, data.location, data.portBindings || null, data.accessRestriction, data.oauthProxy, data.icon || null, function (error) { if (error && error.reason === AppsError.ALREADY_EXISTS) return next(new HttpError(409, error.message)); if (error && error.reason === AppsError.PORT_RESERVED) return next(new HttpError(409, 'Port ' + error.message + ' is reserved.')); if (error && error.reason === AppsError.PORT_CONFLICT) return next(new HttpError(409, 'Port ' + error.message + ' is already in use.')); @@ -150,10 +152,11 @@ function configureApp(req, res, next) { if (typeof data.location !== 'string') return next(new HttpError(400, 'location is required')); if (('portBindings' in data) && typeof data.portBindings !== 'object') return next(new HttpError(400, 'portBindings must be an object')); if (typeof data.accessRestriction !== 'string') return next(new HttpError(400, 'accessRestriction is required')); + if (typeof data.oauthProxy !== 'boolean') return next(new HttpError(400, 'oauthProxy must be a boolean')); debug('Configuring app id:%s location:%s bindings:%j', req.params.id, data.location, data.portBindings); - apps.configure(req.params.id, data.location, data.portBindings || null, data.accessRestriction, function (error) { + apps.configure(req.params.id, data.location, data.portBindings || null, data.accessRestriction, data.oauthProxy, function (error) { if (error && error.reason === AppsError.ALREADY_EXISTS) return next(new HttpError(409, error.message)); if (error && error.reason === AppsError.PORT_RESERVED) return next(new HttpError(409, 'Port ' + error.message + ' is reserved.')); if (error && error.reason === AppsError.PORT_CONFLICT) return next(new HttpError(409, 'Port ' + error.message + ' is already in use.'));