feat: check user authorisation when starting an new execution

affects: tymly
wmfs · Jun 11, 2018 · 0c64741 · 0c64741
1 parent b39b872
commit 0c64741
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 12 deletions.
diff --git a/lib/plugin/components/services/statebox/index.js b/lib/plugin/components/services/statebox/index.js
@@ -5,6 +5,8 @@ const _ = require('lodash')
 
 class StateboxService {
   async boot (options, callback) {
+    this.services = options.bootedServices
+
     this.statebox = new Statebox(options)
     await this.statebox.ready
 
@@ -59,9 +61,18 @@ class StateboxService {
     return this.statebox.listStateMachines()
   }
 
-  startExecution (input, stateMachineName, executionOptions, callback) {
-    return this.statebox.startExecution(input, stateMachineName, executionOptions, callback)
-  }
+  async startExecution (input, stateMachineName, executionOptions, callback) {
+    if (callback) {
+      this.startExecution(input, stateMachineName, executionOptions)
+        .then(executionDescription => callback(null, executionDescription))
+        .catch(err => callback(err))
+    } // if ...
+
+    const [authOk, errExecDesc] = await this.authorisationCheck(stateMachineName, executionOptions, 'create')
+    return authOk ?
+      this.statebox.startExecution(input, stateMachineName, executionOptions) :
+      errExecDesc
+  } // startExecution
 
   stopExecution (cause, error, executionName, executionOptions, callback) {
     return this.statebox.stopExecution(cause, error, executionName, executionOptions, callback)
@@ -90,6 +101,34 @@ class StateboxService {
   waitUntilStoppedRunning (executionName, callback) {
     return this.statebox.waitUntilStoppedRunning(executionName, callback)
   }
+
+  async authorisationCheck (stateMachineName, executionOptions, action) {
+    const rbac = this.services.rbac
+    const userId = executionOptions.userId
+
+    const roles = await rbac.getUserRoles(userId)
+    const authorised = rbac.checkRoleAuthorization(
+      userId,
+      executionOptions,
+      roles,
+      'stateMachine',
+      stateMachineName,
+      action
+    )
+
+    if (authorised)
+      return [true]
+
+    return [
+      false,
+      {
+        status: 'FAILED',
+        stateMachineName: stateMachineName,
+        errorCode: '401',
+        errorMessage: `'${(typeof userId === 'string') ? userId : null}' can not perform '${action}' on '${stateMachineName}'`
+      }
+    ]
+  } // authorisationCheck
 } // class StateboxService
 
 function addResources (statebox, options) {

diff --git a/test/statebox-service-acl-tests.js b/test/statebox-service-acl-tests.js
@@ -43,15 +43,18 @@ describe('statebox service RBAC authorisation tests', function () {
   })
 
   it('anonymous can\'t run \'authenticated\'', async () => {
-    try {
-      await statebox.startExecution(
-        {},
-        'tymlyTest_authenticated_1_0',
-        {sendResponse: 'COMPLETE'}
-      )
-    } catch (err) {
-      expect(err.output.statusCode).to.eql(401)
-    }
+    const execDesc = await statebox.startExecution(
+      { },
+      'tymlyTest_authenticated_1_0',
+      {
+        sendResponse: 'COMPLETE'
+      }
+    )
+
+    expect(execDesc.status).to.eql('FAILED')
+    expect(execDesc.stateMachineName).to.eql('tymlyTest_authenticated_1_0')
+    expect(execDesc.errorCode).to.eql('401')
+    expect(execDesc.errorMessage).to.eql('\'null\' can not perform \'create\' on \'tymlyTest_authenticated_1_0\'')
   })
 
   it('\'jim.smith\' can run \'everyone\'', async () => {