uc-cdis · mfshao · Oct 29, 2024 · Jul 10, 2024 · Jul 10, 2024 · Jul 10, 2024
diff --git a/src/server/__mocks__/mockDataFromES.js b/src/server/__mocks__/mockDataFromES.js
@@ -13,6 +13,18 @@ const mockPing = () => {
     .reply(200, 'hello');
 };
 
+const mockRefresh = () => {
+  if (config.allowRefresh) {
+    nock(config.esConfig.host)
+      .post('/_refresh')
+      .reply(200, '[Server] guppy refreshed successfully');
+  } else {
+    nock(config.esConfig.host)
+      .post('/_refresh')
+      .reply(404, '[Server] guppy _refresh functionality is not enabled');
+  }
+};
+
 const mockResourcePath = () => {
   const queryResource = {
     size: 0,
@@ -405,6 +417,7 @@ const mockArrayConfig = () => {
 const setup = () => {
   mockArborist();
   mockPing();
+  mockRefresh();
   mockResourcePath();
   mockESMapping();
   mockArrayConfig();

diff --git a/src/server/__tests__/config.test.js b/src/server/__tests__/config.test.js
@@ -97,4 +97,11 @@ describe('config', () => {
     expect(config.esConfig.aggregationIncludeMissingData).toBe(true);
     expect(config.esConfig.missingDataAlias).toEqual(alias);
   });
+
+  /* --------------- For _refresh testing --------------- */
+  test('could not access _refresh method if not in config', async () => {
+    process.env.GUPPY_CONFIG_FILEPATH = `${__dirname}/testConfigFiles/test-no-refresh-option-provided.json`;
+    const config = require("../config").default;
+    expect(config.allowRefresh).toBe(false);
+  });
 });
diff --git a/src/server/__tests__/testConfigFiles/test-no-refresh-option-provided.json b/src/server/__tests__/testConfigFiles/test-no-refresh-option-provided.json
@@ -0,0 +1 @@
+{}
diff --git a/src/server/auth/__tests__/authHelper.test.js b/src/server/auth/__tests__/authHelper.test.js
@@ -1,5 +1,5 @@
 // eslint-disable-next-line
-import nock from 'nock'; // must import this to enable mock data by nock 
+import nock from 'nock'; // must import this to enable mock data by nock
 import getAuthHelperInstance from '../authHelper';
 import esInstance from '../../es/index';
 import setupMockDataEndpoint from '../../__mocks__/mockDataFromES';
@@ -12,6 +12,8 @@ setupMockDataEndpoint();
 describe('AuthHelper', () => {
   test('could create auth helper instance', async () => {
     const authHelper = await getAuthHelperInstance('fake-jwt');
+    expect(authHelper.getAccessibleCreateResources()).toEqual(['internal-project-1', 'internal-project-3', 'internal-project-4', 'internal-project-5']);
+    expect(authHelper.getAccessibleCreateResources()).not.toContain(['internal-project-2', 'internal-project-6']);
     expect(authHelper.getAccessibleResources()).toEqual(['internal-project-1', 'internal-project-2', 'internal-project-4', 'internal-project-5']);
     expect(authHelper.getAccessibleResources()).not.toContain(['internal-project-3', 'internal-project-6']);
     expect(authHelper.getUnaccessibleResources()).toEqual(['external-project-1', 'external-project-2']);

diff --git a/src/server/auth/arboristClient.js b/src/server/auth/arboristClient.js
@@ -65,6 +65,64 @@ class ArboristClient {
       },
     );
   }
+
+  listAuthorizedCreateResources(jwt) {
+    // Make request to arborist for list of resources with access
+    const resourcesEndpoint = `${this.baseEndpoint}/auth/mapping`;
+    log.debug('[ArboristClient] listAuthorizedCreateResources jwt: ', jwt);
+
+    const headers = (jwt) ? { Authorization: `bearer ${jwt}` } : {};
+    return fetch(
+      resourcesEndpoint,
+      {
+        method: 'POST',
+        headers,
+      },
+    ).then(
+      (response) => {
+        if (response.status === 400) {
+          // Retry with GET instead of POST. Older version of Arborist POST auth/mapping
+          // didn't support token authentication.
+          // This catch block can be removed in a little while, when it will likely not cause issues
+          return fetch(
+            resourcesEndpoint,
+            {
+              method: 'GET',
+              headers,
+            },
+          ).then((res) => res.json());
+        }
+        return response.json();
+      },
+      (err) => {
+        log.error(err);
+        throw new CodedError(500, err);
+      },
+    ).then(
+      (result) => {
+        const data = {
+          resources: [],
+        };
+        Object.keys(result).forEach((key) => {
+        // logic: you have access to a project if you have the following access:
+        // method 'create' (or '*' - all methods) to service 'guppy' (or '*' - all services)
+        // on the project resource.
+          if (result[key] && result[key].some((x) => (
+            (x.method === 'create' || x.method === '*')
+          && (x.service === 'guppy' || x.service === '*')
+          ))) {
+            data.resources.push(key);
+          }
+        });
+        log.debug('[ArboristClient] data: ', data);
+        return data;
+      },
+      (err) => {
+        log.error(err);
+        throw new CodedError(500, err);
+      },
+    );
+  }
 }
 
 export default new ArboristClient(config.arboristEndpoint);
diff --git a/src/server/auth/authHelper.js b/src/server/auth/authHelper.js
@@ -5,6 +5,7 @@ import {
   getRequestResourceListFromFilter,
   buildFilterWithResourceList,
   getAccessibleResourcesFromArboristasync,
+  getAccessibleCreateResourcesFromArboristasync
 } from './utils';
 import config from '../config';
 
@@ -18,6 +19,9 @@ export class AuthHelper {
       this._accessibleResourceList = await getAccessibleResourcesFromArboristasync(this._jwt);
       log.debug('[AuthHelper] accessible resources:', this._accessibleResourceList);
 
+      this._accessibleCreateResourceList = await getAccessibleCreateResourcesFromArboristasync(this._jwt);
+      log.debug('[AuthHelper] accessible resources with create method:', this._accessibleCreateResourceList);
+
       const promiseList = [];
       config.esConfig.indices.forEach(({ index, type }) => {
         const subListPromise = this.getOutOfScopeResourceList(index, type);
@@ -39,6 +43,10 @@ export class AuthHelper {
     return this._accessibleResourceList;
   }
 
+  getAccessibleCreateResources(){
+    return this._accessibleCreateResourceList
+  }
+
   getUnaccessibleResources() {
     return this._unaccessibleResourceList;
   }

diff --git a/src/server/auth/utils.js b/src/server/auth/utils.js
@@ -31,6 +31,31 @@ export const getAccessibleResourcesFromArboristasync = async (jwt) => {
   return resources;
 };
 
+export const getAccessibleCreateResourcesFromArboristasync = async (jwt) => {
+  let data;
+  if (config.internalLocalTest) {
+    data = {
+      resources: [ // these are just for testing
+        '/programs/DEV/projects/test',
+        '/programs/jnkns/projects/jenkins',
+      ],
+    };
+  } else {
+    data = await arboristClient.listAuthorizedCreateResources(jwt);
+  }
+
+  log.debug('[authMiddleware] list create resources: ', JSON.stringify(data, null, 4));
+  if (data && data.error) {
+    // if user is not in arborist db, assume has no access to any
+    if (data.error.code === 404) {
+      return [];
+    }
+    throw new CodedError(data.error.code, data.error.message);
+  }
+  const resources = data.resources ? _.uniq(data.resources) : [];
+  return resources;
+};
+
 export const getRequestResourceListFromFilter = async (
   esIndex,
   esType,

diff --git a/src/server/config.js b/src/server/config.js
@@ -38,6 +38,7 @@ const config = {
   analyzedTextFieldSuffix: '.analyzed',
   matchedTextHighlightTagName: 'em',
   allowedMinimumSearchLen: 2,
+  allowRefresh: inputConfig.allowRefresh || false,
 };
 
 if (process.env.GEN3_ES_ENDPOINT) {

diff --git a/src/server/server.js b/src/server/server.js
@@ -19,22 +19,50 @@ import downloadRouter from './download';
 import CodedError from './utils/error';
 import { statusRouter, versionRouter } from './endpoints';
 
+let server;
 const app = express();
 app.use(cors());
 app.use(helmet());
 app.use(bodyParser.json({ limit: '50mb' }));
 
+const refreshRouter  = async (req, res, next) => {
+  res.setHeader('Content-Type', 'application/json; charset=utf-8');
+  try {
+    if (config.allowRefresh) {
+      log.debug('[Refresh] ', JSON.stringify(req.body, null, 4));
+      const jwt = headerParser.parseJWT(req);
+      if (!jwt) {
+        const noJwtError = new CodedError(401, '[Refresh] no JWT user token provided to _refresh function');
+        throw noJwtError;
+      }
+      const authHelper = await getAuthHelperInstance(jwt);
+      console.log("AUTH HELPER: ", authHelper)
+      if (authHelper._accessibleCreateResourceList === undefined || authHelper._accessibleCreateResourceList.length === 0) {
+        const noPermsUser = new CodedError(401, '[Refresh] User cannot refresh Guppy without a valid token that has read access to at least one project');
+        throw noPermsUser;
+      }
+      await server.stop()
+      await initializeAndStartServer();
+    } else if (config.allowRefresh === false) {
+      const disabledRefresh = new CodedError(404, '[Refresh] guppy _refresh functionality is not enabled');
+      throw disabledRefresh;
+    }
+    res.send("[Refresh] guppy refreshed successfully")
+  } catch (err) {
+    log.error(err);
+    next(err);
+  }
+  return 0;
+};
+
 const startServer = async () => {
   // build schema and resolvers by parsing elastic search fields and types,
   const typeDefs = getSchema(config.esConfig, esInstance);
   const resolvers = getResolver(config.esConfig, esInstance);
   const schema = makeExecutableSchema({ typeDefs, resolvers });
-  const schemaWithMiddleware = applyMiddleware(
-    schema,
-    ...middlewares,
-  );
-    // create graphql server instance
-  const server = new ApolloServer({
+  const schemaWithMiddleware = applyMiddleware(schema, ...middlewares);
+  // create graphql server instance
+  server = new ApolloServer({
     mocks: false,
     schema: schemaWithMiddleware,
     validationRules: [depthLimit(10)],
@@ -57,43 +85,49 @@ const startServer = async () => {
       path: config.path,
     }),
   );
+  log.info(`[Server] guppy listening on port ${config.port}!`);
+};
 
-  // simple health check endpoint
-  // eslint-disable-next-line no-unused-vars
-  app.get('/_status', statusRouter, (req, res, err, next) => {
-    if (err instanceof CodedError) {
-      // deepcode ignore ServerLeak: no important information exists in error
-      res.status(err.code).send(err.msg);
-    } else {
-      // deepcode ignore ServerLeak: no important information exists in error
-      res.status(500).send(err);
-    }
-  });
+const initializeAndStartServer = async () => {
+  await esInstance.initialize();
+  await startServer();
+};
+// simple health check endpoint
+// eslint-disable-next-line no-unused-vars
+app.get('/_status', statusRouter, (req, res, err, next) => {
+  if (err instanceof CodedError) {
+    // deepcode ignore ServerLeak: no important information exists in error
+    res.status(err.code).send(err.msg);
+  } else {
+    // deepcode ignore ServerLeak: no important information exists in error
+    res.status(500).send(err);
+  }
+});
 
-  // eslint-disable-next-line no-unused-vars
-  app.get('/_version', versionRouter);
+// eslint-disable-next-line no-unused-vars
+app.get('/_version', versionRouter);
 
-  // download endpoint for fetching data directly from es
-  app.post(
-    '/download',
-    downloadRouter,
-    (err, req, res, next) => { // eslint-disable-line no-unused-vars
-      if (err instanceof CodedError) {
-        // deepcode ignore ServerLeak: no important information exists in error
-        res.status(err.code).send(err.msg);
-      } else {
-        // deepcode ignore ServerLeak: no important information exists in error
-        res.status(500).send(err);
-      }
-    },
-  );
+// download endpoint for fetching data directly from es
+app.post('/download', downloadRouter, (err, req, res, next) => {
+  // eslint-disable-line no-unused-vars
+  if (err instanceof CodedError) {
+    // deepcode ignore ServerLeak: no important information exists in error
+    res.status(err.code).send(err.msg);
+  } else {
+    // deepcode ignore ServerLeak: no important information exists in error
+    res.status(500).send(err);
+  }
+});
 
-  app.listen(config.port, () => {
-    log.info(`[Server] guppy listening on port ${config.port}!`);
-  });
-};
+app.post('/_refresh',refreshRouter,   (err, req, res, next) => {
+  if (err instanceof CodedError) {
+    res.status(err.code).send(err.msg);
+  }else{
+    res.status(500).send(err)
+  }
+});
 
 // need to connect to ES and initialize before setting up a server
-esInstance.initialize().then(() => {
-  startServer();
+app.listen(config.port, async () => {
+  await initializeAndStartServer();
 });
diff --git a/startServer.sh b/startServer.sh
@@ -4,4 +4,4 @@ if [[ -z "$DD_TRACE_ENABLED" ]]; then
     export DD_TRACE_ENABLED=false
 fi
 
-node --max-http-header-size 16000 --require dd-trace/init dist/server/server.js
+node --max-http-header-size 16000 --require dd-trace/init dist/server/server.js