feat: implement authorisation check in stopExecution

affects: tymly
wmfs · Jun 13, 2018 · eee9d6b · eee9d6b
1 parent 052d6df
commit eee9d6b
Show file tree

Hide file tree

Showing 7 changed files with 308 additions and 84 deletions.
diff --git a/lib/plugin/components/services/rbac/index.js b/lib/plugin/components/services/rbac/index.js
@@ -7,6 +7,7 @@ const checkRoleAuthorization = require('./check-role-authorization')
 class RbacService {
   async boot (options, callback) {
     try {
+      this.messages = options.messages
       this.roleModel = options.bootedServices.storage.models.tymly_role
       this.roleMembershipModel = options.bootedServices.storage.models.tymly_roleMembership
       this.permissionModel = options.bootedServices.storage.models.tymly_permission
@@ -15,13 +16,13 @@ class RbacService {
       caches.defaultIfNotInConfig('userMemberships', 500)
       this.userMembershipsCache = caches.userMemberships
 
-      options.messages.info('Applying default roles')
+      this.messages.info('Applying default roles')
       await applyDefaultRoles(
         options.config.defaultUsers,
         this.roleMembershipModel
       )
 
-      options.messages.info('Applying unknown Blueprint documents')
+      this.messages.info('Applying unknown Blueprint documents')
       await applyDefaultBlueprintDocs(
         options.bootedServices.blueprintDocs,
         options.blueprintComponents,
@@ -30,12 +31,7 @@ class RbacService {
         this.permissionModel
       )
 
-      options.messages.info('Refreshing RBAC index')
-      this.rbac = await loadRbacIndex(
-        this.roleModel,
-        this.roleMembershipModel,
-        this.permissionModel
-      )
+      await this.refreshRbacIndex()
 
       callback(null)
     } catch (err) {
@@ -47,6 +43,15 @@ class RbacService {
     return ensureUserRoles(userId, roleIds, this.roleMembershipModel)
   } // ensureUserRoles
 
+  async refreshRbacIndex () {
+    this.messages.info('Refreshing RBAC index')
+    this.rbac = await loadRbacIndex(
+      this.roleModel,
+      this.roleMembershipModel,
+      this.permissionModel
+    )
+  }
+
   /**
    * Returns with all the roles currently assigned to the specified userId
    * @param {string} userId Specifies which useId to return a list of roles for

diff --git a/lib/plugin/components/services/statebox/index.js b/lib/plugin/components/services/statebox/index.js
@@ -68,22 +68,42 @@ class StateboxService {
         .catch(err => callback(err))
     } // if ...
 
-    const [authOk, errExecDesc] = await this.authorisationCheck(stateMachineName, executionOptions, 'create')
+    const [authOk, errExecDesc] = await this.authorisationCheck(
+      executionOptions.userId,
+      stateMachineName,
+      executionOptions,
+      'create'
+    )
     return authOk
       ? this.statebox.startExecution(input, stateMachineName, executionOptions)
       : errExecDesc
   } // startExecution
 
-  stopExecution (cause, error, executionName, executionOptions, callback) {
-    return this.statebox.stopExecution(cause, error, executionName, executionOptions, callback)
-  }
+  async stopExecution (cause, error, executionName, executionOptions, callback) {
+    if (callback) {
+      return this.stopExecution(cause, error, executionName, executionOptions)
+        .then(executionDescription => callback(null, executionDescription))
+        .catch(err => callback(err))
+    }
+
+    const executionDescription = await this.statebox.describeExecution(executionName, executionOptions)
+    const [authOk, errExecDesc] = await this.authorisationCheck(
+      executionOptions.userId,
+      executionDescription.stateMachineName,
+      executionDescription.executionOptions,
+      'stop'
+    )
+    return authOk
+      ? this.statebox.stopExecution(cause, error, executionName, executionOptions)
+      : errExecDesc
+  } // stopExecution
 
   listExecutions (executionOptions, callback) {
     this.statebox.listExecutions(executionOptions, callback)
   }
 
   describeExecution (executionName, executionOptions, callback) {
-    this.statebox.describeExecution(executionName, executionOptions, callback)
+    return this.statebox.describeExecution(executionName, executionOptions, callback)
   }
 
   sendTaskSuccess (executionName, output, executionOptions, callback) {
@@ -102,13 +122,14 @@ class StateboxService {
     return this.statebox.waitUntilStoppedRunning(executionName, callback)
   }
 
-  async authorisationCheck (stateMachineName, executionOptions, action) {
-    return [true] // STUB!
-  }
-/*
-  async authorisationCheck (stateMachineName, executionOptions, action) {
+  /*
+    async authorisationCheck (stateMachineName, executionOptions, action) {
+      return [true] // STUB!
+    }
+  */
+
+  async authorisationCheck (userId, stateMachineName, executionOptions, action) {
     const rbac = this.services.rbac
-    const userId = executionOptions.userId
 
     const roles = await rbac.getUserRoles(userId)
     const authorised = rbac.checkRoleAuthorization(
@@ -134,7 +155,6 @@ class StateboxService {
       }
     ]
   } // authorisationCheck
-*/
 } // class StateboxService
 
 function addResources (statebox, options) {

diff --git a/test/fixtures/blueprints/access-controlled-blueprint/state-machines/admin.json b/test/fixtures/blueprints/access-controlled-blueprint/state-machines/admin.json
@@ -0,0 +1,21 @@
+{
+  "Comment": "Blueprint to do a thing",
+  "version": "1.0",
+  "StartAt": "Success",
+  "States": {
+    "Success": {
+      "Type": "Task",
+      "Resource": "module:success",
+      "ResultPath": "$.success",
+      "End": true
+    }
+  },
+  "restrictions": [
+    {
+      "roleId": "admin",
+      "allows": [
+        "*"
+      ]
+    }
+  ]
+}
diff --git a/...tures/blueprints/access-controlled-blueprint/state-machines/authenticated-heart-beat.json b/...tures/blueprints/access-controlled-blueprint/state-machines/authenticated-heart-beat.json
@@ -0,0 +1,25 @@
+{
+  "Comment": "State machine to test heartbeat functionality.",
+  "version": "1.0",
+  "StartAt": "Heartbeat",
+  "States": {
+    "Heartbeat": {
+      "Type": "Task",
+      "Resource": "module:heartBeat",
+      "End": true
+    }
+  },
+  "restrictions": [
+    {
+      "roleId": "$everyone",
+      "allows": [
+        "create"
+      ]
+    },
+    { "roleId": "$authenticated",
+      "allows": [
+        "*"
+      ]
+    }
+  ]
+}
diff --git a/test/fixtures/blueprints/access-controlled-blueprint/state-machines/everyone-heart-beat.json b/test/fixtures/blueprints/access-controlled-blueprint/state-machines/everyone-heart-beat.json
@@ -0,0 +1,20 @@
+{
+  "Comment": "State machine to test heartbeat functionality.",
+  "version": "1.0",
+  "StartAt": "Heartbeat",
+  "States": {
+    "Heartbeat": {
+      "Type": "Task",
+      "Resource": "module:heartBeat",
+      "End": true
+    }
+  },
+  "restrictions": [
+    {
+      "roleId": "$everyone",
+      "allows": [
+        "*"
+      ]
+    }
+  ]
+}
diff --git a/test/fixtures/blueprints/access-controlled-blueprint/state-machines/owner-heart-beat.json b/test/fixtures/blueprints/access-controlled-blueprint/state-machines/owner-heart-beat.json
@@ -0,0 +1,25 @@
+{
+  "Comment": "State machine to test heartbeat functionality.",
+  "version": "1.0",
+  "StartAt": "Heartbeat",
+  "States": {
+    "Heartbeat": {
+      "Type": "Task",
+      "Resource": "module:heartBeat",
+      "End": true
+    }
+  },
+  "restrictions": [
+    {
+      "roleId": "$everyone",
+      "allows": [
+        "create"
+      ]
+    },
+    { "roleId": "$owner",
+      "allows": [
+        "*"
+      ]
+    }
+  ]
+}