Merge branch 'master' into test1

app/apollo/index.js

@@ -105,7 +105,7 @@ const createApolloServer = () => {
     introspection: true, // set to true as long as user has valid token
     plugins: customPlugins,
     tracing: process.env.GRAPHQL_ENABLE_TRACING === 'true',
-    playground: process.env.NODE_ENV !== 'production',
+    playground: process.env.GRAPHQL_ENABLE_PLAYGROUND === 'false',
     typeDefs,
     resolvers,
     schemaDirectives: {
@@ -183,7 +183,7 @@ const apollo = async (options = {}) => {
     const db = await connectDb(options.mongo_url);
     const app = options.app ? options.app : createDefaultApp();
     router.use(ebl(getBunyanConfig('apollo')));
-    if (initModule.playgroundAuth && process.env.NODE_ENV !== 'production') {
+    if (initModule.playgroundAuth && process.env.GRAPHQL_ENABLE_PLAYGROUND === 'true') {
       logger.info('Enabled playground route with authorization enforcement.');
       app.get(GRAPHQL_PATH, initModule.playgroundAuth);
     }

app/apollo/resolvers/channel.js

@@ -28,21 +28,20 @@ const yaml = require('js-yaml');
 const fs = require('fs');
 
 const { ACTIONS, TYPES, CHANNEL_VERSION_YAML_MAX_SIZE_LIMIT_MB, CHANNEL_LIMITS, CHANNEL_VERSION_LIMITS } = require('../models/const');
-const { whoIs, validAuth, NotFoundError, RazeeValidationError, BasicRazeeError, RazeeQueryError} = require ('./common');
+const { whoIs, validAuth, getAllowedChannels, NotFoundError, RazeeValidationError, BasicRazeeError, RazeeQueryError} = require ('./common');
 
 const { encryptOrgData, decryptOrgData} = require('../../utils/orgs');
 
 const channelResolvers = {
   Query: {
     channels: async(parent, { orgId }, context, fullQuery) => {
       const queryFields = GraphqlFields(fullQuery);
-      const { models, me, req_id, logger } = context;
+      const { me, req_id, logger } = context;
       const queryName = 'channels';
       logger.debug({req_id, user: whoIs(me), orgId }, `${queryName} enter`);
-      await validAuth(me, orgId, ACTIONS.READ, TYPES.CHANNEL, queryName, context);
 
       try{
-        var channels = await models.Channel.find({ org_id: orgId });
+        var channels = await getAllowedChannels(me, orgId, ACTIONS.READ, TYPES.CHANNEL, context);
         await applyQueryFieldsToChannels(channels, queryFields, { orgId }, context);
       }catch(err){
         logger.error(err, `${queryName} encountered an error when serving ${req_id}.`);

app/apollo/resolvers/common.js

@@ -38,7 +38,30 @@ const validClusterAuth = async (me, queryName, context) => {
     }
     return;
   }
-}; 
+};
+
+var getAllowedChannels = async(me, orgId, action, field, context)=>{
+  const { models } = context;
+  var channels = await models.Channel.find({ org_id: orgId });
+  return await filterChannelsToAllowed(me, orgId, action, field, channels, context);
+};
+
+var filterChannelsToAllowed = async(me, orgId, action, field, channels, context)=>{
+  const { models } = context;
+  var decisionInputs = _.map(channels, (channel)=>{
+    return {
+      type: field,
+      action,
+      uuid: channel.uuid,
+      name: channel.name,
+    };
+  });
+  var decisions = await models.User.isAuthorizedBatch(me, orgId, decisionInputs, context);
+  channels = _.filter(channels, (val, idx)=>{
+    return decisions[idx];
+  });
+  return channels;
+};
 
 // return user permitted cluster groups in an array 
 const getAllowedGroups = async (me, org_id, action, field, queryName, context) => {
@@ -182,4 +205,8 @@ class RazeeQueryError extends BasicRazeeError {
   }
 }
 
-module.exports =  { whoIs, validAuth, BasicRazeeError, NotFoundError, RazeeValidationError, RazeeForbiddenError, RazeeQueryError, validClusterAuth, getAllowedGroups, getGroupConditions, getGroupConditionsIncludingEmpty , applyClusterInfoOnResources};
+module.exports =  {
+  whoIs, validAuth, getAllowedChannels, filterChannelsToAllowed,
+  BasicRazeeError, NotFoundError, RazeeValidationError, RazeeForbiddenError, RazeeQueryError,
+  validClusterAuth, getAllowedGroups, getGroupConditions, getGroupConditionsIncludingEmpty, applyClusterInfoOnResources,
+};

app/apollo/resolvers/subscription.js

@@ -289,7 +289,7 @@ const subscriptionResolvers = {
         if(!channel){
           throw new NotFoundError(`channel uuid "${channel_uuid}" not found`, context);
         }
-       
+
         // validate groups are all exists in label dbs
         await validateGroups(org_id, groups, context);
 
@@ -325,14 +325,16 @@ const subscriptionResolvers = {
       const { models, me, req_id, logger } = context;
       const queryName = 'editSubscription';
       logger.debug({req_id, user: whoIs(me), orgId }, `${queryName} enter`);
-      await validAuth(me, orgId, ACTIONS.UPDATE, TYPES.SUBSCRIPTION, queryName, context);
+      // await validAuth(me, orgId, ACTIONS.UPDATE, TYPES.SUBSCRIPTION, queryName, context);
 
       try{
         var subscription = await models.Subscription.findOne({ org_id: orgId, uuid });
         if(!subscription){
           throw  new NotFoundError(`Subscription { uuid: "${uuid}", orgId:${orgId} } not found.`, context);
         }
 
+        await validAuth(me, orgId, ACTIONS.UPDATE, TYPES.SUBSCRIPTION, queryName, context, [subscription.uuid, subscription.name]);
+
         // loads the channel
         var channel = await models.Channel.findOne({ org_id: orgId, uuid: channel_uuid });
         if(!channel){
@@ -384,6 +386,9 @@ const subscriptionResolvers = {
           throw  new NotFoundError(`Subscription { uuid: "${uuid}", org_id:${org_id} } not found.`, context);
         }
 
+        // this may be overkill, but will check for strings first, then groups below
+        await validAuth(me, org_id, ACTIONS.SETVERSION, TYPES.SUBSCRIPTION, queryName, context, [subscription.uuid, subscription.name]);
+
         // validate user has enough cluster groups permissions to for this sub
         // TODO: we should use specific groups action below instead of manage, e.g. setSubscription action
         const allowedGroups = await getAllowedGroups(me, org_id, ACTIONS.SETVERSION, 'name', queryName, context);
@@ -431,14 +436,17 @@ const subscriptionResolvers = {
       const { models, me, req_id, logger } = context;
       const queryName = 'removeSubscription';
       logger.debug({req_id, user: whoIs(me), org_id }, `${queryName} enter`);
-      await validAuth(me, org_id, ACTIONS.DELETE, TYPES.SUBSCRIPTION, queryName, context);
+      // await validAuth(me, org_id, ACTIONS.DELETE, TYPES.SUBSCRIPTION, queryName, context);
 
       var success = false;
       try{
         var subscription = await models.Subscription.findOne({ org_id, uuid });
         if(!subscription){
           throw  new NotFoundError(`Subscription uuid "${uuid}" not found.`, context);
         }
+
+        await validAuth(me, org_id, ACTIONS.DELETE, TYPES.SUBSCRIPTION, queryName, context, [subscription.uuid, subscription.name]);
+
         await subscription.deleteOne();
 
         pubSub.channelSubChangedFunc({org_id: org_id}, context);

app/apollo/utils/applyQueryFields.js

@@ -15,8 +15,8 @@
  */
 
 var _ = require('lodash');
-const { getGroupConditions } = require('../resolvers/common');
-const { ACTIONS, CLUSTER_REG_STATES, CLUSTER_STATUS } = require('../models/const');
+const { getGroupConditions, filterChannelsToAllowed } = require('../resolvers/common');
+const { ACTIONS, TYPES, CLUSTER_REG_STATES, CLUSTER_STATUS } = require('../models/const');
 
 const applyQueryFieldsToClusters = async(clusters, queryFields={}, args, context)=>{
   var { models } = context;
@@ -177,7 +177,7 @@ const applyQueryFieldsToChannels = async(channels, queryFields={}, args, context
 };
 
 const applyQueryFieldsToSubscriptions = async(subs, queryFields={}, args, context)=>{ // eslint-disable-line
-  var { models } = context;
+  var { me, models } = context;
   var { orgId } = args;
 
   _.each(subs, (sub)=>{
@@ -191,6 +191,8 @@ const applyQueryFieldsToSubscriptions = async(subs, queryFields={}, args, contex
   if(queryFields.channel){
     var channelUuids = _.uniq(_.map(subs, 'channelUuid'));
     var channels = await models.Channel.find({ uuid: { $in: channelUuids } });
+    channels = await filterChannelsToAllowed(me, orgId, ACTIONS.READ, TYPES.CHANNEL, channels, context);
+
     await applyQueryFieldsToChannels(channels, queryFields.channel, args, context);
 
     var channelsByUuid = _.keyBy(channels, 'uuid');

package.json

@@ -82,7 +82,7 @@
     "passport-local": "^1.0.0",
     "prom-client": "^12.0.0",
     "stream-buffers": "^3.0.2",
-    "subscriptions-transport-ws": "^0.9.17",
+    "subscriptions-transport-ws": "^0.9.18",
     "swagger-ui-express": "^4.1.4",
     "uuid": "^8.3.0",
     "validator": "^13.1.1",
@@ -100,7 +100,7 @@
     "mongo-mock": "^4.0.0",
     "mongodb-memory-server": "^6.6.3",
     "nock": "^13.0.4",
-    "node-mocks-http": "^1.8.1",
+    "node-mocks-http": "^1.9.0",
     "nodemon": "^2.0.4",
     "npm-check-updates": "^7.1.1",
     "npm-run-all": "^4.1.5",