diff --git a/src/accesscontrol.js b/src/accesscontrol.js index 6f4aee42f..1ab236de8 100644 --- a/src/accesscontrol.js +++ b/src/accesscontrol.js @@ -20,7 +20,7 @@ exports = module.exports = { validateScopeString: validateScopeString, hasScopes: hasScopes, - intersectScope: intersectScope, + intersectScopes: intersectScopes, canonicalScope: canonicalScope }; @@ -34,17 +34,11 @@ function canonicalScope(scope) { return scopes.join(','); } -function intersectScope(allowedScope, wantedScope) { - assert.strictEqual(typeof allowedScope, 'string'); - assert.strictEqual(typeof wantedScope, 'string'); +function intersectScopes(allowedScopes, wantedScopes) { + assert(Array.isArray(allowedScopes), 'Expecting array'); + assert(Array.isArray(wantedScopes), 'Expecting array'); - const allowedScopes = allowedScope.split(','); - const wantedScopes = wantedScope.split(','); - - if (allowedScopes.indexOf(exports.SCOPE_ANY) !== -1) return canonicalScope(wantedScope); - if (wantedScopes.indexOf(exports.SCOPE_ANY) !== -1) return canonicalScope(allowedScope); - - return _.intersection(allowedScopes, wantedScopes).join(','); + return _.intersection(allowedScopes, wantedScopes); } function validateRoles(roles) { diff --git a/src/routes/accesscontrol.js b/src/routes/accesscontrol.js index ded070e31..5b8f490c0 100644 --- a/src/routes/accesscontrol.js +++ b/src/routes/accesscontrol.js @@ -107,11 +107,11 @@ function accessTokenAuth(accessToken, callback) { // scopes here can define what capabilities that token carries // passport put the 'info' object into req.authInfo, where we can further validate the scopes - const userScope = user.groupIds.indexOf(constants.ADMIN_GROUP_ID) !== -1 ? '*' : 'profile'; - var scope = accesscontrol.intersectScope(userScope, token.scope).split(','); + const userScopes = user.groupIds.indexOf(constants.ADMIN_GROUP_ID) !== -1 ? accesscontrol.VALID_SCOPES : [ 'profile' ]; + var authorizedScopes = accesscontrol.intersectScopes(userScopes, token.scope.split(',')); // these clients do not require password checks unlike UI const skipPasswordVerification = token.clientId === 'cid-sdk' || token.clientId === 'cid-cli'; - var info = { authorizedScopes: scope, skipPasswordVerification: skipPasswordVerification }; + var info = { authorizedScopes: authorizedScopes, skipPasswordVerification: skipPasswordVerification }; callback(null, user, info); }); diff --git a/src/test/accesscontrol-test.js b/src/test/accesscontrol-test.js index feb7ab5aa..8f674b7a2 100644 --- a/src/test/accesscontrol-test.js +++ b/src/test/accesscontrol-test.js @@ -20,29 +20,18 @@ describe('access control', function () { }); }); - describe('intersectScope', function () { // args: allowed, wanted + describe('intersectScopes', function () { // args: allowed, wanted it('both are same', function () { - expect(accesscontrol.intersectScope('apps,clients', 'clients,apps')).to.be('apps,clients'); + expect(accesscontrol.intersectScopes([ 'apps', 'clients' ], [ 'clients', 'apps' ])).to.eql([ 'apps', 'clients' ]); }); it('some are different', function () { - expect(accesscontrol.intersectScope('apps', 'clients,apps')).to.be('apps'); - expect(accesscontrol.intersectScope('clients,domains,mail', 'mail')).to.be('mail'); - }); - - it('* in allowed', function () { - expect(accesscontrol.intersectScope('*', 'clients,apps')).to.be('clients,apps'); - expect(accesscontrol.intersectScope('foo,*,bar', 'mail')).to.be('mail'); - }); - - it('* in wanted', function () { - expect(accesscontrol.intersectScope('clients,apps', '*')).to.be('clients,apps'); - expect(accesscontrol.intersectScope('mail', 'bar,*,foo')).to.be('mail'); - expect(accesscontrol.intersectScope('*', '*')).to.be(accesscontrol.VALID_SCOPES.join(',')); + expect(accesscontrol.intersectScopes([ 'apps' ], [ 'clients', 'apps' ])).to.eql(['apps']); + expect(accesscontrol.intersectScopes([ 'clients', 'domains', 'mail' ], [ 'mail' ])).to.eql(['mail']); }); it('everything is different', function () { - expect(accesscontrol.intersectScope('cloudron,domains', 'clients,apps')).to.be(''); + expect(accesscontrol.intersectScopes(['cloudron', 'domains' ], ['clients', 'apps'])).to.eql(''); }); });