Check permissions earlier and in a centralized way

noflo · Mar 22, 2018 · 85ab2d1 · 85ab2d1
1 parent 785b5a9
commit 85ab2d1
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 31 deletions.
diff --git a/src/Base.coffee b/src/Base.coffee
@@ -69,6 +69,25 @@ class BaseTransport
       return true
     false
 
+  # Check if a given user is authorized to send a given message
+  canInput: (protocol, topic, secret) ->
+    if protocol is 'graph'
+      # All graph messages are under the same capability
+      return @canDo ['protocol:graph'], secret
+    message = "#{protocol}:#{topic}"
+    switch message
+      when 'component:list' then return @canDo ['protocol:component'], secret
+      when 'component:getsource' then return @canDo ['component:getsource'], secret
+      when 'component:source' then return @canDo ['component:setsource'], secret
+      when 'network:edges' then return @canDo ['network:data', 'protocol:network'], secret
+      when 'network:start' then return @canDo ['network:control', 'protocol:network'], secret
+      when 'network:stop' then return @canDo ['network:control', 'protocol:network'], secret
+      when 'network:debug' then return @canDo ['network:control', 'protocol:network'], secret
+      when 'network:getstatus' then return @canDo ['network:status', 'network:control', 'protocol:network'], secret
+      when 'runtime:getruntime' then return true
+      when 'runtime:packet' then return @canDo ['protocol:runtime'], secret
+    return false
+
   # Get enabled capabilities for a user
   #
   # @param [String] Secret provided by user
@@ -121,6 +140,11 @@ class BaseTransport
     payload = {} unless payload
     debugMessagingReceive "#{protocol} #{topic}"
     debugMessagingReceivePayload payload
+
+    unless @canInput protocol, topic, payload.secret
+      @send protocol, 'error', new Error("#{protocol}:#{topic} is not permitted"), context
+      return
+
     @context = context
     switch protocol
       when 'runtime' then @runtime.receive topic, payload, context

diff --git a/src/protocol/Component.coffee b/src/protocol/Component.coffee
@@ -23,9 +23,6 @@ class ComponentProtocol
     return @loaders[baseDir]
 
   listComponents: (payload, context) ->
-    unless @transport.canDo ['protocol:component'], payload.secret
-      @send 'error', new Error("component:list not permitted"), context
-      return
     baseDir = @transport.options.baseDir
     loader = @getLoader baseDir, @transport.options
     loader.listComponents (err, components) =>
@@ -41,9 +38,6 @@ class ComponentProtocol
           @send 'componentsready', processed, context
 
   getSource: (payload, context) ->
-    unless @transport.canDo ['component:getsource'], payload.secret
-      @send 'error', new Error("component:getsource not permitted"), context
-      return
     baseDir = @transport.options.baseDir
     loader = @getLoader baseDir, @transport.options
     loader.getSource payload.name, (err, component) =>
@@ -65,9 +59,6 @@ class ComponentProtocol
         @send 'source', component, context
 
   setSource: (payload, context) ->
-    unless @transport.canDo ['component:setsource'], payload.secret
-      @send 'error', new Error("component:setsource not permitted"), context
-      return
     baseDir = @transport.options.baseDir
     loader = @getLoader baseDir, @transport.options
     loader.setSource payload.library, payload.name, payload.code, payload.language, (err) =>

diff --git a/src/protocol/Graph.coffee b/src/protocol/Graph.coffee
@@ -11,10 +11,6 @@ class GraphProtocol
     @transport.sendAll 'graph', topic, payload
 
   receive: (topic, payload, context) ->
-    unless @transport.canDo 'protocol:graph', payload.secret
-      @send 'error', new Error("graph:#{topic} not permitted"), context
-      return
-
     # Find locally stored graph by ID
     if topic isnt 'clear'
       graph = @resolveGraph payload, context

diff --git a/src/protocol/Network.coffee b/src/protocol/Network.coffee
@@ -93,9 +93,6 @@ class NetworkProtocol extends EventEmitter
     return @transport.graph.graphs[payload.graph]
 
   updateEdgesFilter: (graph, payload, context) ->
-    unless @transport.canDo ['network:data', 'protocol:network'], payload.secret
-      @send 'error', new Error("network:edges not permitted"), context
-      return
     network = @networks[payload.graph]
     if network
       network.filters = {}
@@ -215,18 +212,12 @@ class NetworkProtocol extends EventEmitter
       return doStart network.network
 
   startNetwork: (graph, payload, context) ->
-    unless @transport.canDo ['network:control', 'protocol:network'], payload.secret
-      @send 'error', new Error("network:start not permitted"), context
-      return
     network = @networks[payload.graph]
     @_startNetwork graph, payload.graph, context, (err) =>
       @send 'error', err, context if err
       return
 
   stopNetwork: (graph, payload, context) ->
-    unless @transport.canDo ['network:control', 'protocol:network'], payload.secret
-      @send 'error', new Error("network:stop not permitted"), context
-      return
     unless @networks[payload.graph]
       @send 'error', new Error("Network #{payload.graph} not found"), context
       return
@@ -256,9 +247,6 @@ class NetworkProtocol extends EventEmitter
     , context
 
   debugNetwork: (graph, payload, context) ->
-    unless @transport.canDo ['network:control', 'protocol:network'], payload.secret
-      @send 'error', new Error("network:debug not permitted"), context
-      return
     unless @networks[payload.graph]
       @send 'error', new Error("Network #{payload.graph} not found"), context
       return
@@ -272,9 +260,6 @@ class NetworkProtocol extends EventEmitter
     return
 
   getStatus: (graph, payload, context) ->
-    unless @transport.canDo ['network:status', 'network:control', 'protocol:network'], payload.secret
-      @send 'error', new Error("network:getstatus not permitted"), context
-      return
     unless @networks[payload.graph]
       @send 'error', new Error("Network #{payload.graph} not found"), context
       return

diff --git a/src/protocol/Runtime.coffee b/src/protocol/Runtime.coffee
@@ -90,9 +90,6 @@ class RuntimeProtocol extends EventEmitter
     switch topic
       when 'getruntime' then @getRuntime payload, context
       when 'packet'
-        unless @transport.canDo 'protocol:runtime', payload.secret
-          @send 'error', new Error("runtime:packet not permitted"), context
-          return
         @sendPacket payload, (err) =>
           if err
             @sendError err.message, context