/
index.js
76 lines (66 loc) · 2.81 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
const _ = require('lodash');
module.exports = {};
module.exports.basicAclPlugin = function (options, restify) {
if (!options) options = {};
if (!options.userHeader) options.userHeader = 'X-User';
if (!options.rolesHeader) options.rolesHeader = 'X-User-Roles';
if (!options.roles) options.roles = {};
if (!options.unprotectedRoutes) options.unprotectedRoutes = [];
if (!options.unauthorizedMessage) options.unauthorizedMessage = 'You do not have the necessary permission to access this resource.';
return function (req, res, next) {
const userHeader = req.header(options.userHeader);
const rolesHeader = req.header(options.rolesHeader);
let skipAcl = false;
// if the current path is specified as unprotected
if (options.unprotectedRoutes.indexOf(req.path().replace(/\/$/, "")) != -1) {
skipAcl = true;
}
if (!rolesHeader && !skipAcl) {
return next(new restify.UnauthorizedError(options.unauthorizedMessage));
}
// attempt to JSON decode header
if (userHeader) {
try {
req.user = JSON.parse(userHeader);
} catch (e) {
req.user = userHeader;
}
}
req.roles = rolesHeader ? rolesHeader.split(',').map((s) => { return s.trim(); }) : null;
let methodAllowedForRole = false;
let comboRoles = [];
//iterate through options.roles to get combo roles
for (let k in options.roles) {
if(/\+/.test(k)) {
let comboRole = k.split('+');
// comboRoles.push(comboRole);
comboRoles.push({roleIdentifier: k, comboRole: comboRole});
}
}
if (skipAcl) {
methodAllowedForRole = true;
} else if(req.roles) {
for (let i = 0; i < req.roles.length; i++) {
if(req.roles.length > 1) {
for(let r = 0; r < comboRoles.length; r++) {
//compare the entire req.roles with each comboRole array
if (_.difference(comboRoles[r].comboRole, req.roles).length == 0
&& options.roles[comboRoles[r].roleIdentifier].indexOf(req.method.toLowerCase()) !== -1) {
methodAllowedForRole = true;
break;
}
}
}
if (options.roles[req.roles[i]]
&& options.roles[req.roles[i]].indexOf(req.method.toLowerCase()) !== -1) {
methodAllowedForRole = true;
break;
}
}
}
if (!methodAllowedForRole) {
return next(new restify.UnauthorizedError(options.unauthorizedMessage));
}
next();
};
};