Addresses PR feedback

Author: matthewpeterkort

src/server/auth/__tests__/authHelper.test.js

@@ -12,8 +12,7 @@ setupMockDataEndpoint();
 describe('AuthHelper', () => {
   test('could create auth helper instance', async () => {
     const authHelper = await getAuthHelperInstance('fake-jwt');
-    expect(authHelper.getAccessibleCreateResources()).toEqual(['internal-project-1', 'internal-project-3', 'internal-project-4', 'internal-project-5']);
-    expect(authHelper.getAccessibleCreateResources()).not.toContain(['internal-project-2', 'internal-project-6']);
+    expect(authHelper.getCanRefresh()).toEqual(false);
     expect(authHelper.getAccessibleResources()).toEqual(['internal-project-1', 'internal-project-2', 'internal-project-4', 'internal-project-5']);
     expect(authHelper.getAccessibleResources()).not.toContain(['internal-project-3', 'internal-project-6']);
     expect(authHelper.getUnaccessibleResources()).toEqual(['external-project-1', 'external-project-2']);

src/server/auth/arboristClient.js

@@ -8,10 +8,10 @@ class ArboristClient {
     this.baseEndpoint = arboristEndpoint;
   }
 
-  listAuthorizedResources(jwt) {
+  listAuthMapping(jwt) {
     // Make request to arborist for list of resources with access
     const resourcesEndpoint = `${this.baseEndpoint}/auth/mapping`;
-    log.debug('[ArboristClient] listAuthorizedResources jwt: ', jwt);
+    log.debug('[ArboristClient] listAuthMapping jwt: ', jwt);
 
     const headers = (jwt) ? { Authorization: `bearer ${jwt}` } : {};
     return fetch(
@@ -40,87 +40,6 @@ class ArboristClient {
         log.error(err);
         throw new CodedError(500, err);
       },
-    ).then(
-      (result) => {
-        const data = {
-          resources: [],
-        };
-        Object.keys(result).forEach((key) => {
-        // logic: you have access to a project if you have the following access:
-        // method 'read' (or '*' - all methods) to service 'guppy' (or '*' - all services)
-        // on the project resource.
-          if (result[key] && result[key].some((x) => (
-            (x.method === 'read' || x.method === '*')
-          && (x.service === 'guppy' || x.service === '*')
-          ))) {
-            data.resources.push(key);
-          }
-        });
-        log.debug('[ArboristClient] data: ', data);
-        return data;
-      },
-      (err) => {
-        log.error(err);
-        throw new CodedError(500, err);
-      },
-    );
-  }
-
-  listAuthorizedCreateResources(jwt) {
-    // Make request to arborist for list of resources with access
-    const resourcesEndpoint = `${this.baseEndpoint}/auth/mapping`;
-    log.debug('[ArboristClient] listAuthorizedCreateResources jwt: ', jwt);
-
-    const headers = (jwt) ? { Authorization: `bearer ${jwt}` } : {};
-    return fetch(
-      resourcesEndpoint,
-      {
-        method: 'POST',
-        headers,
-      },
-    ).then(
-      (response) => {
-        if (response.status === 400) {
-          // Retry with GET instead of POST. Older version of Arborist POST auth/mapping
-          // didn't support token authentication.
-          // This catch block can be removed in a little while, when it will likely not cause issues
-          return fetch(
-            resourcesEndpoint,
-            {
-              method: 'GET',
-              headers,
-            },
-          ).then((res) => res.json());
-        }
-        return response.json();
-      },
-      (err) => {
-        log.error(err);
-        throw new CodedError(500, err);
-      },
-    ).then(
-      (result) => {
-        const data = {
-          resources: [],
-        };
-        Object.keys(result).forEach((key) => {
-        // logic: you have access to a project if you have the following access:
-        // method 'create' (or '*' - all methods) to service 'guppy' (or '*' - all services)
-        // on the project resource.
-          if (result[key] && result[key].some((x) => (
-            (x.method === 'create' || x.method === '*')
-          && (x.service === 'guppy' || x.service === '*')
-          ))) {
-            data.resources.push(key);
-          }
-        });
-        log.debug('[ArboristClient] data: ', data);
-        return data;
-      },
-      (err) => {
-        log.error(err);
-        throw new CodedError(500, err);
-      },
     );
   }
 }

src/server/auth/authHelper.js

@@ -5,7 +5,7 @@ import {
   getRequestResourceListFromFilter,
   buildFilterWithResourceList,
   getAccessibleResourcesFromArboristasync,
-  getAccessibleCreateResourcesFromArboristasync
+  canRefresh,
 } from './utils';
 import config from '../config';
 
@@ -19,8 +19,8 @@ export class AuthHelper {
       this._accessibleResourceList = await getAccessibleResourcesFromArboristasync(this._jwt);
       log.debug('[AuthHelper] accessible resources:', this._accessibleResourceList);
 
-      this._accessibleCreateResourceList = await getAccessibleCreateResourcesFromArboristasync(this._jwt);
-      log.debug('[AuthHelper] accessible resources with create method:', this._accessibleCreateResourceList);
+      this._canRefresh = await canRefresh(this._jwt);
+      log.debug('[AuthHelper] can user refresh:', this._canRefresh);
 
       const promiseList = [];
       config.esConfig.indices.forEach(({ index, type }) => {
@@ -43,8 +43,8 @@ export class AuthHelper {
     return this._accessibleResourceList;
   }
 
-  getAccessibleCreateResources(){
-    return this._accessibleCreateResourceList
+  getCanRefresh(){
+    return this._canRefresh
   }
 
   getUnaccessibleResources() {

src/server/auth/utils.js

@@ -16,7 +16,7 @@ export const getAccessibleResourcesFromArboristasync = async (jwt) => {
       ],
     };
   } else {
-    data = await arboristClient.listAuthorizedResources(jwt);
+    data = await arboristClient.listAuthMapping(jwt);
   }
 
   log.debug('[authMiddleware] list resources: ', JSON.stringify(data, null, 4));
@@ -27,11 +27,13 @@ export const getAccessibleResourcesFromArboristasync = async (jwt) => {
     }
     throw new CodedError(data.error.code, data.error.message);
   }
+
+  data = resourcePathsWithServiceMethodCombination(data, ['guppy', '*'], ['read', '*'])
   const resources = data.resources ? _.uniq(data.resources) : [];
   return resources;
 };
 
-export const getAccessibleCreateResourcesFromArboristasync = async (jwt) => {
+export const canRefresh = async (jwt) => {
   let data;
   if (config.internalLocalTest) {
     data = {
@@ -41,19 +43,21 @@ export const getAccessibleCreateResourcesFromArboristasync = async (jwt) => {
       ],
     };
   } else {
-    data = await arboristClient.listAuthorizedCreateResources(jwt);
+    data = await arboristClient.listAuthMapping(jwt);
   }
 
-  log.debug('[authMiddleware] list create resources: ', JSON.stringify(data, null, 4));
+  log.debug('[authMiddleware] list resources: ', JSON.stringify(data, null, 4));
   if (data && data.error) {
     // if user is not in arborist db, assume has no access to any
     if (data.error.code === 404) {
-      return [];
+      return false;
     }
     throw new CodedError(data.error.code, data.error.message);
   }
-  const resources = data.resources ? _.uniq(data.resources) : [];
-  return resources;
+  data = resourcePathsWithServiceMethodCombination(data, ['guppy'], ['admin_access', '*'])
+
+  // Only guppy_admin resource path can control guppy admin access
+  return data.resources ? data.resources.includes('/guppy_admin') : false;
 };
 
 export const getRequestResourceListFromFilter = async (
@@ -74,3 +78,20 @@ export const buildFilterWithResourceList = (resourceList = []) => {
   };
   return filter;
 };
+
+export const resourcePathsWithServiceMethodCombination = (userAuthMapping, services, methods = {}) => {
+  const data = {
+    resources: [],
+  };
+  Object.keys(userAuthMapping).forEach((key) => {
+  // logic: you have access to a project if you have
+  // access to any of the combinations made by the method and service lists
+  if (userAuthMapping[key] && userAuthMapping[key].some((x) => (
+        methods.includes(x.method)
+        && services.includes(x.service)
+      ))) {
+        data.resources.push(key);
+      }
+  });
+  return data
+}

src/server/server.js

@@ -28,24 +28,24 @@ app.use(bodyParser.json({ limit: '50mb' }));
 const refreshRouter  = async (req, res, next) => {
   res.setHeader('Content-Type', 'application/json; charset=utf-8');
   try {
-    if (config.allowRefresh) {
+    if (config.allowRefresh === false) {
+      const disabledRefresh = new CodedError(404, '[Refresh] guppy _refresh functionality is not enabled');
+      throw disabledRefresh;
+    }
+    else if (config.allowRefresh) {
       log.debug('[Refresh] ', JSON.stringify(req.body, null, 4));
       const jwt = headerParser.parseJWT(req);
       if (!jwt) {
         const noJwtError = new CodedError(401, '[Refresh] no JWT user token provided to _refresh function');
         throw noJwtError;
       }
       const authHelper = await getAuthHelperInstance(jwt);
-      console.log("AUTH HELPER: ", authHelper)
-      if (authHelper._accessibleCreateResourceList === undefined || authHelper._accessibleCreateResourceList.length === 0) {
-        const noPermsUser = new CodedError(401, '[Refresh] User cannot refresh Guppy without a valid token that has read access to at least one project');
+      if (authHelper._canRefresh === undefined || authHelper._canRefresh === false) {
+        const noPermsUser = new CodedError(401, '[Refresh] User cannot refresh Guppy without a valid token that has admin_access method on guppy service for resource path /guppy_admin');
         throw noPermsUser;
       }
       await server.stop()
       await initializeAndStartServer();
-    } else if (config.allowRefresh === false) {
-      const disabledRefresh = new CodedError(404, '[Refresh] guppy _refresh functionality is not enabled');
-      throw disabledRefresh;
     }
     res.send("[Refresh] guppy refreshed successfully")
   } catch (err) {