Merge branch 'master' into #590

lib/iam-utils/example/index.js

@@ -2,7 +2,7 @@
 const express = require('express');
 
 process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0;
-process.env['IAM_TOKEN'] = 'd25eb0ad-d36c-4a8c-83ca-00b81996d98c';
+process.env['IAM_TOKEN'] = 'YOUR_IAM_TOKEN_WITH_INTROSPECT_PERMISSION';
 process.env['INTROSPECT_BASIC'] = 'true';
 
 const iamUtils = require('../index');
@@ -26,6 +26,6 @@ app.use((err, req, res, next) => {
 
 app.listen(3210, () => console.log('Example app listening on port 3210!'));
 
-iamUtils.verify('246d63f0-5303-415e-8c7e-a26d515dee28')
+iamUtils.getUserData({ token: 'TOKEN_FOR_INTROSPECTION' })
     .then(data => console.log(data))
     .catch(err => console.error(err));

lib/iam-utils/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openintegrationhub/iam-utils",
-  "version": "1.3.11",
+  "version": "1.4.1",
   "description": "Utils and express middleware for OIH IAM service",
   "main": "index.js",
   "scripts": {

lib/iam-utils/src/constants.js

@@ -30,4 +30,8 @@ module.exports = {
         INVALID_TOKEN: 'INVALID_TOKEN',
         DEFAULT: 'UNKNOWN_ERROR',
     },
+    DEFAULT_PERMISSIONS: {
+        ADMIN: ['all'],
+        TENANT_ADMIN: ['tenant.all'],
+    }
 };

lib/iam-utils/src/index.js

@@ -25,7 +25,7 @@ log.info(
     ),
 );
 
-const allRequiredElemsExistsInArray = (array, requiredElems) => {
+const allRequiredElemsExistsInArray = (array = [], requiredElems) => {
     let hit = 0;
 
     for (let i = 0; i < requiredElems.length; i += 1) {
@@ -37,6 +37,14 @@ const allRequiredElemsExistsInArray = (array, requiredElems) => {
     return hit === requiredElems.length;
 };
 
+const isAdmin = (user) => {
+    return allRequiredElemsExistsInArray(user.permissions, CONSTANTS.DEFAULT_PERMISSIONS.ADMIN)
+};
+
+const isTenantAdmin = (user) => {
+    return allRequiredElemsExistsInArray(user.permissions, CONSTANTS.DEFAULT_PERMISSIONS.TENANT_ADMIN)
+};
+
 module.exports = {
     getUserData: async ({ token, introspectType }) => {
 
@@ -79,10 +87,19 @@ module.exports = {
 
             if (user.memberships) {
                 user.currentContext = user.memberships.find(membership => membership.active);
+            } else {
+                /* @deprecated */
+                log.warn('currentContext is deprecated. Rely on user.tenant instead.');
+                user.currentContext = {
+                    roles: user.roles || [],
+                    tenant: user.tenant || null,
+                    permissions: user.permissions || [],
+                };
             }
+            user.permissions = user.permissions || [];
 
             user.sub = user.sub || body._id;
-
+            /* @deprecated */
             user.tenantId = body.tenantId;
 
             if (tokenCache) {
@@ -188,21 +205,12 @@ module.exports = {
             requiredPermissions = [requiredPermissions];
         }
 
-        const { role, permissions, currentContext } = user;
+        const { permissions } = user;
 
         /** requester is either admin, or a service account with correct permissions
          or a user in context of a tenant with her permissions
          */
-        if (role === CONSTANTS.ROLES.ADMIN
-            || (role === CONSTANTS.ROLES.SERVICE_ACCOUNT
-                && permissions.length
-                && allRequiredElemsExistsInArray(permissions, requiredPermissions)
-            )
-            || (
-                currentContext && currentContext.permissions.length
-                && allRequiredElemsExistsInArray(currentContext.permissions, requiredPermissions)
-            )
-        ) {
+        if (isAdmin(user) || allRequiredElemsExistsInArray(permissions, requiredPermissions)) {
             return true;
         }
 
@@ -214,21 +222,12 @@ module.exports = {
             requiredPermissions = [requiredPermissions];
         }
 
-        const { role, permissions, currentContext } = user;
+        const permissions = user.permissions || [];
 
         /** requester is either admin, or a service account with correct permissions
          or a user in context of a tenant with her permissions
          */
-        if (role === CONSTANTS.ROLES.ADMIN
-            || (role === CONSTANTS.ROLES.SERVICE_ACCOUNT
-                && permissions.length
-                && requiredPermissions.find(reqPerm => permissions.find(userPerm => userPerm === reqPerm))
-            )
-            || (
-                currentContext && currentContext.permissions.length
-                && requiredPermissions.find(reqPerm => currentContext.permissions.find(userPerm => userPerm === reqPerm))
-            )
-        ) {
+        if (isAdmin(user) || requiredPermissions.find(reqPerm => permissions.find(userPerm => userPerm === reqPerm))) {
             return true;
         }
 
@@ -256,17 +255,14 @@ module.exports = {
 
     isOwnerOf({ entity, user }) {
         const userIsOwner = !!entity.owners.find(
-            elem => elem.id === user.sub,
+            elem => elem.id === user.sub && elem.type === CONSTANTS.ENTITY.USER,
         );
 
         const tenantIsOwner = !!entity.owners.find(
-            elem => elem.id === user.tenantId,
+            elem => elem.id === user.tenantId && elem.type === CONSTANTS.ENTITY.TENANT,
         );
 
-        return (
-            (user.role === CONSTANTS.ROLES.TENANT_ADMIN && tenantIsOwner)
-            || userIsOwner
-        );
+        return userIsOwner || (tenantIsOwner && isTenantAdmin(user));
     },
 
 };

lib/secret-service/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openintegrationhub/secret-service",
-  "version": "1.2.3",
+  "version": "1.2.5",
   "description": "ExpressJS based service to manage credentials and secrets.",
   "main": "index.js",
   "author": "Basaas GmbH",
@@ -12,7 +12,7 @@
   "dependencies": {
     "@basaas/node-logger": "1.1.5",
     "@openintegrationhub/event-bus": "1.0.2",
-    "@openintegrationhub/iam-utils": "1.3.4",
+    "@openintegrationhub/iam-utils": "1.4.1",
     "assert": "2.0.0",
     "base64url": "3.0.1",
     "dot-prop": "5.1.0",

lib/secret-service/src/modules/event.js

@@ -14,11 +14,16 @@ class EventManager {
 
         const eventBus = EventBusManager.getEventBus();
 
-        eventBus.subscribe('account.deleted', async (event) => {
+        eventBus.subscribe('iam.user.deleted', async (event) => {
             await SecretsDAO.deleteAll({ ownerId: event.payload.user, type: CONSTANTS.ENTITY_TYPE.USER });
             await event.ack();
         });
 
+        eventBus.subscribe('iam.tenant.deleted', async (event) => {
+            await SecretsDAO.deleteAll({ ownerId: event.payload.user, type: CONSTANTS.ENTITY_TYPE.TENANT });
+            await event.ack();
+        });
+
         await eventBus.connect();
 
     }

lib/secret-service/src/route/secrets/index.spec.js

@@ -511,7 +511,7 @@ describe('secrets', () => {
 
         EventBusManager.getEventBus().publish(new Event({
             headers: {
-                name: 'account.deleted'
+                name: 'iam.user.deleted'
             },
             payload: {
                 user: userToBeDeleted.id

lib/secret-service/src/test/tokens.js

@@ -7,8 +7,7 @@ module.exports = {
         value: {
             sub: 'a1',
             name: 'Admin1',
-            role: 'ADMIN',
-            memberships: ['t1', 't2'],
+            permissions: ['all'],
             iat: 1337,
         },
     },
@@ -20,14 +19,9 @@ module.exports = {
             name: 'User2',
             role: 'USER',
             iat: 1337,
-            memberships: [
-                {
-                    tenant: '5c507eb60838f1f976e5f2a4',
-                    permissions: [
-                        'tenant.all',
-                    ],
-                    active: true,
-                },
+            tenant: '5c507eb60838f1f976e5f2a4',
+            permissions: [
+                'tenant.all',
             ],
         },
     },
@@ -38,16 +32,11 @@ module.exports = {
             sub: 'u2',
             name: 'User2',
             role: 'USER',
-            permissions: [permissions.common.secretReadRaw],
             iat: 1337,
-            memberships: [
-                {
-                    tenant: '5c507eb60838f1f976e5f2a4',
-                    permissions: [
-                        'tenant.all',
-                    ],
-                    active: true,
-                },
+            tenant: '5c507eb60838f1f976e5f2a4',
+            permissions: [
+                'tenant.all',
+                permissions.common.secretReadRaw,
             ],
         },
 
@@ -58,21 +47,11 @@ module.exports = {
         value: {
             sub: 's1',
             name: 'Service Account',
-            role: 'SERVICE_ACCOUNT',
             permissions: [
                 permissions.restricted.secretDeleteAny,
                 permissions.restricted.authClientDeleteAny,
             ],
             iat: 1337,
-            memberships: [
-                {
-                    tenant: '5c507eb60838f1f976e5f2a4',
-                    permissions: [
-                        'tenant.all',
-                    ],
-                    active: true,
-                },
-            ],
         },
 
     },
@@ -83,7 +62,6 @@ module.exports = {
             sub: 'u2',
             name: 'User2',
             role: 'EPHEMERAL_SERVICE_ACCOUNT',
-            memberships: ['t1'],
             permissions: [
                 permissions.common.secretReadRaw,
             ],
@@ -96,8 +74,7 @@ module.exports = {
         value: {
             sub: 'a3',
             name: 'Admin3',
-            role: 'ADMIN',
-            memberships: ['t2'],
+            permissions: ['all'],
             iat: 1337,
         },
     },
@@ -108,7 +85,6 @@ module.exports = {
             sub: 'u4',
             name: 'User4',
             role: 'NOT_USER',
-            memberships: ['t2'],
             iat: 1337,
         },
     },
@@ -119,7 +95,6 @@ module.exports = {
             sub: 'userFork',
             name: 'User Fork',
             role: 'USER',
-            memberships: ['fork'],
             iat: 1337,
         },
     },