@hitchy/plugin-auth 0.2.0 → 0.3.0

package/api/service/authentication/strategies.js

@@ -1,34 +1,19 @@
+"use strict";
+
+const LocalStrategy = require( "passport-local" ).Strategy;
+
 /**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2021 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
+ * Temporarily tracks additional session data per remotely authenticated user.
  *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
+ * Some strategies (such as passport-saml) expect certain strategy-related data
+ * per authenticated user to be present on `req.user` prior to accepting request
+ * for logging out. In hitchy, `req.user` is fetched from database on every
+ * request and thus no temporary data is available. Hence, this local map is
+ * used instead to track any additional data for those strategies.
  *
- * @author: cepharum
+ * @type {Map<any, any>}
  */
-
-"use strict";
-
-const LocalStrategy = require( "passport-local" ).Strategy;
+const RemoteAuthCustomData = new Map();
 
 module.exports = function() {
 	const api = this;
@@ -36,6 +21,37 @@ module.exports = function() {
 
 	const AlertLog = api.log( "hitchy:plugin:auth:alert" );
 
+	/**
+	 * Fetches named user's local profile.
+	 *
+	 * @param {string} strategyName name of strategy used to authenticate user
+	 * @param {string} username name of user to search locally for related profile
+	 * @param {boolean} createIfMissing set true to create user's profile if it's missing currenly
+	 * @param {function(Error?, object):void} doneFn callback invoked with encountered error or user's profile
+	 * @returns {void}
+	 */
+	function getLocalProfile( strategyName, username, createIfMissing, doneFn ) {
+		models.User.find( { eq: { name: username } } )
+			.then( candidates => candidates.find( user => user.strategy === strategyName ) )
+			.then( match => {
+				if ( match ) {
+					return match;
+				}
+
+				if ( createIfMissing ) {
+					const newUser = new models.User();
+					newUser.name = username;
+					newUser.strategy = strategyName;
+
+					return newUser.save();
+				}
+
+				throw new TypeError( "selected user does not exist" );
+			} )
+			.then( profile => doneFn( null, profile ) )
+			.catch( doneFn );
+	}
+
 	/**
 	 * Implements helpers for generating strategies for passport.js.
 	 */
@@ -89,6 +105,139 @@ module.exports = function() {
 			return strategy;
 		}
 
+		/**
+		 * Generates SAML strategy authenticating user against some remote IdP
+		 * based on SAML v2.0 protocol.
+		 *
+		 * @param {string} strategyName name of resulting strategy in context of your application
+		 * @param {Hitchy.Plugin.Auth.SamlConfig} config SAML protocol configuration
+		 * @returns {Strategy} generated strategy for use with passport.js
+		 */
+		static generateSaml( strategyName, config ) {
+			const verifyLocalProfileOnLogin = ( req, userInfo, done ) => {
+				RemoteAuthCustomData.set( `${strategyName}:${userInfo.nameID}`, { ...userInfo } );
+
+				getLocalProfile( strategyName, userInfo.nameID, true, done );
+			};
+
+			const verifyLocalProfileOnLogout = ( req, userInfo, done ) => {
+				getLocalProfile( strategyName, userInfo.nameID, false, done );
+			};
+
+			const { Strategy } = require( "passport-saml" );
+			const strategy = new Strategy( {
+				...config,
+				passReqToCallback: true,
+			}, verifyLocalProfileOnLogin, verifyLocalProfileOnLogout );
+
+			/**
+			 * Triggers requesting user being logged out remotely.
+			 *
+			 * @param {Hitchy.Core.IncomingMessage} req request descriptor
+			 * @returns {Promise<boolean>} promises indicator if request was redirected to come back after remote logout succeeded
+			 */
+			strategy.logOutRemotely = req => {
+				if ( req.query.SAMLResponse ) {
+					return Promise.resolve( false );
+				}
+
+				const res = req.context.response;
+
+				return new Promise( ( resolve, reject ) => {
+					const { user } = req;
+
+					const remoteSessionKey = `${strategyName}:${user.name}`;
+
+					if ( !user || user.strategy !== strategyName || !RemoteAuthCustomData.has( remoteSessionKey ) ) {
+						resolve( {} );
+					} else {
+						// inject custom auth data into `req.user` as expected by passport-saml strategy
+						const data = RemoteAuthCustomData.get( remoteSessionKey );
+
+						for ( const name of Object.keys( data ) ) {
+							user[name] = data[name];
+						}
+
+						user.nameID = user.name;
+
+						if ( !user.nameID || !user.nameIDFormat ) {
+							reject( new Error( "missing nameID and nameIDFormat of user required for requesting logout at IdP" ) );
+						} else {
+							// ask strategy for generating logout URL for redirecting client to
+							strategy.logout( req, ( error, logoutUrl ) => {
+								if ( error ) {
+									reject( error );
+								} else {
+									resolve( { name: remoteSessionKey, url: logoutUrl } );
+								}
+							} );
+						}
+					}
+				} )
+					.then( ( { name, url } ) => {
+						if ( url ) {
+							// first pass -> redirect to IdP
+							res.redirect( 302, url );
+							return true;
+						}
+
+						// second pass -> returned from IdP
+
+						if ( name ) {
+							RemoteAuthCustomData.delete( name );
+						}
+
+						return false;
+					} );
+			};
+
+			Object.defineProperty( strategy, "$$doNotSeal$$", { value: true } );
+
+			return strategy;
+		}
+
+		/**
+		 * Creates strategy for illustrating and testing integration with remote IdP
+		 * supporting OpenID Connect with Authorization Code Flow.
+		 *
+		 * @param {string} strategyName name of resulting strategy in context of your application
+		 * @param {ClientMetaData} config OpenID Connect client configuration
+		 * @returns {Promise<Strategy>} promises generated strategy for use with passport.js
+		 */
+		static async generateOpenIdConnect( strategyName, config ) { // eslint-disable-line consistent-this
+			const verifyLocalProfileOnLogin = ( req, tokens, userInfo, done ) => {
+				getLocalProfile( strategyName, userInfo.preferred_username, true, done );
+			};
+
+			const { Issuer, Strategy } = require( "openid-client" );
+			const issuer = await Issuer.discover( config.discovery_url );
+			const client = new issuer.Client( config );
+
+			const strategy = new Strategy( {
+				client,
+				passReqToCallback: true,
+			}, verifyLocalProfileOnLogin );
+
+			strategy.logOutRemotely = req => {
+				const key = `${strategyName}:logout_state`;
+
+				if ( req.session[key] && req.query.state === req.session[key] ) {
+					return Promise.resolve( false );
+				}
+
+				const state = req.session[key] = require( "crypto" ).randomBytes( 32 ).toString( "base64" ); // eslint-disable-line no-param-reassign
+
+				// redirect user to discovered end_session_url of IdP
+				req.context.response.redirect( 302, client.endSessionUrl( { state } ) );
+
+				return Promise.resolve( true );
+			};
+
+			Object.defineProperty( strategy, "$$doNotSeal$$", { value: true } );
+
+			return strategy;
+		}
+
 		/**
 		 * Retrieves name of strategy to use by default.
 		 *

package/api/service/authorization/node.js

@@ -1,31 +1,3 @@
-/**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2021 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
- */
-
 "use strict";
 
 module.exports = function() {

package/api/service/authorization/policy-generator.js

@@ -1,31 +1,3 @@
-/**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2021 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
- */
-
 "use strict";
 
 module.exports = function() {

package/api/service/authorization/tree.js

@@ -1,31 +1,3 @@
-/**
- * (c) 2021 cepharum GmbH, Berlin, http://cepharum.de
- *
- * The MIT License (MIT)
- *
- * Copyright (c) 2021 cepharum GmbH
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- *
- * @author: cepharum
- */
-
 "use strict";
 
 module.exports = function() {

package/config/auth.js

@@ -3,6 +3,7 @@
 module.exports = function() {
 	return {
 		auth: {
+			prefix: "/api/auth",
 			strategies: {
 				// local: this.runtime.services.AuthStrategies.generateLocal()
 			},
@@ -10,6 +11,10 @@ module.exports = function() {
 				// "feature.export.pdf": "@customers"
 				// "feature.export.text": "@customers,@testers"
 			},
+			roles: [
+				// "customers",
+				// "testers",
+			],
 		}
 	};
 };

package/coverage/base.css

@@ -0,0 +1,224 @@
+body, html {
+  margin:0; padding: 0;
+  height: 100%;
+}
+body {
+    font-family: Helvetica Neue, Helvetica, Arial;
+    font-size: 14px;
+    color:#333;
+}
+.small { font-size: 12px; }
+*, *:after, *:before {
+  -webkit-box-sizing:border-box;
+     -moz-box-sizing:border-box;
+          box-sizing:border-box;
+  }
+h1 { font-size: 20px; margin: 0;}
+h2 { font-size: 14px; }
+pre {
+    font: 12px/1.4 Consolas, "Liberation Mono", Menlo, Courier, monospace;
+    margin: 0;
+    padding: 0;
+    -moz-tab-size: 2;
+    -o-tab-size:  2;
+    tab-size: 2;
+}
+a { color:#0074D9; text-decoration:none; }
+a:hover { text-decoration:underline; }
+.strong { font-weight: bold; }
+.space-top1 { padding: 10px 0 0 0; }
+.pad2y { padding: 20px 0; }
+.pad1y { padding: 10px 0; }
+.pad2x { padding: 0 20px; }
+.pad2 { padding: 20px; }
+.pad1 { padding: 10px; }
+.space-left2 { padding-left:55px; }
+.space-right2 { padding-right:20px; }
+.center { text-align:center; }
+.clearfix { display:block; }
+.clearfix:after {
+  content:'';
+  display:block;
+  height:0;
+  clear:both;
+  visibility:hidden;
+  }
+.fl { float: left; }
+@media only screen and (max-width:640px) {
+  .col3 { width:100%; max-width:100%; }
+  .hide-mobile { display:none!important; }
+}
+
+.quiet {
+  color: #7f7f7f;
+  color: rgba(0,0,0,0.5);
+}
+.quiet a { opacity: 0.7; }
+
+.fraction {
+  font-family: Consolas, 'Liberation Mono', Menlo, Courier, monospace;
+  font-size: 10px;
+  color: #555;
+  background: #E8E8E8;
+  padding: 4px 5px;
+  border-radius: 3px;
+  vertical-align: middle;
+}
+
+div.path a:link, div.path a:visited { color: #333; }
+table.coverage {
+  border-collapse: collapse;
+  margin: 10px 0 0 0;
+  padding: 0;
+}
+
+table.coverage td {
+  margin: 0;
+  padding: 0;
+  vertical-align: top;
+}
+table.coverage td.line-count {
+    text-align: right;
+    padding: 0 5px 0 20px;
+}
+table.coverage td.line-coverage {
+    text-align: right;
+    padding-right: 10px;
+    min-width:20px;
+}
+
+table.coverage td span.cline-any {
+    display: inline-block;
+    padding: 0 5px;
+    width: 100%;
+}
+.missing-if-branch {
+    display: inline-block;
+    margin-right: 5px;
+    border-radius: 3px;
+    position: relative;
+    padding: 0 4px;
+    background: #333;
+    color: yellow;
+}
+
+.skip-if-branch {
+    display: none;
+    margin-right: 10px;
+    position: relative;
+    padding: 0 4px;
+    background: #ccc;
+    color: white;
+}
+.missing-if-branch .typ, .skip-if-branch .typ {
+    color: inherit !important;
+}
+.coverage-summary {
+  border-collapse: collapse;
+  width: 100%;
+}
+.coverage-summary tr { border-bottom: 1px solid #bbb; }
+.keyline-all { border: 1px solid #ddd; }
+.coverage-summary td, .coverage-summary th { padding: 10px; }
+.coverage-summary tbody { border: 1px solid #bbb; }
+.coverage-summary td { border-right: 1px solid #bbb; }
+.coverage-summary td:last-child { border-right: none; }
+.coverage-summary th {
+  text-align: left;
+  font-weight: normal;
+  white-space: nowrap;
+}
+.coverage-summary th.file { border-right: none !important; }
+.coverage-summary th.pct { }
+.coverage-summary th.pic,
+.coverage-summary th.abs,
+.coverage-summary td.pct,
+.coverage-summary td.abs { text-align: right; }
+.coverage-summary td.file { white-space: nowrap;  }
+.coverage-summary td.pic { min-width: 120px !important;  }
+.coverage-summary tfoot td { }
+
+.coverage-summary .sorter {
+    height: 10px;
+    width: 7px;
+    display: inline-block;
+    margin-left: 0.5em;
+    background: url(sort-arrow-sprite.png) no-repeat scroll 0 0 transparent;
+}
+.coverage-summary .sorted .sorter {
+    background-position: 0 -20px;
+}
+.coverage-summary .sorted-desc .sorter {
+    background-position: 0 -10px;
+}
+.status-line {  height: 10px; }
+/* yellow */
+.cbranch-no { background: yellow !important; color: #111; }
+/* dark red */
+.red.solid, .status-line.low, .low .cover-fill { background:#C21F39 }
+.low .chart { border:1px solid #C21F39 }
+.highlighted,
+.highlighted .cstat-no, .highlighted .fstat-no, .highlighted .cbranch-no{
+  background: #C21F39 !important;
+}
+/* medium red */
+.cstat-no, .fstat-no, .cbranch-no, .cbranch-no { background:#F6C6CE }
+/* light red */
+.low, .cline-no { background:#FCE1E5 }
+/* light green */
+.high, .cline-yes { background:rgb(230,245,208) }
+/* medium green */
+.cstat-yes { background:rgb(161,215,106) }
+/* dark green */
+.status-line.high, .high .cover-fill { background:rgb(77,146,33) }
+.high .chart { border:1px solid rgb(77,146,33) }
+/* dark yellow (gold) */
+.status-line.medium, .medium .cover-fill { background: #f9cd0b; }
+.medium .chart { border:1px solid #f9cd0b; }
+/* light yellow */
+.medium { background: #fff4c2; }
+
+.cstat-skip { background: #ddd; color: #111; }
+.fstat-skip { background: #ddd; color: #111 !important; }
+.cbranch-skip { background: #ddd !important; color: #111; }
+
+span.cline-neutral { background: #eaeaea; }
+
+.coverage-summary td.empty {
+    opacity: .5;
+    padding-top: 4px;
+    padding-bottom: 4px;
+    line-height: 1;
+    color: #888;
+}
+
+.cover-fill, .cover-empty {
+  display:inline-block;
+  height: 12px;
+}
+.chart {
+  line-height: 0;
+}
+.cover-empty {
+    background: white;
+}
+.cover-full {
+    border-right: none !important;
+}
+pre.prettyprint {
+    border: none !important;
+    padding: 0 !important;
+    margin: 0 !important;
+}
+.com { color: #999 !important; }
+.ignore-none { color: #999; font-weight: normal; }
+
+.wrapper {
+  min-height: 100%;
+  height: auto !important;
+  height: 100%;
+  margin: 0 auto -48px;
+}
+.footer, .push {
+  height: 48px;
+}

package/coverage/block-navigation.js

@@ -0,0 +1,79 @@
+/* eslint-disable */
+var jumpToCode = (function init() {
+    // Classes of code we would like to highlight in the file view
+    var missingCoverageClasses = ['.cbranch-no', '.cstat-no', '.fstat-no'];
+
+    // Elements to highlight in the file listing view
+    var fileListingElements = ['td.pct.low'];
+
+    // We don't want to select elements that are direct descendants of another match
+    var notSelector = ':not(' + missingCoverageClasses.join('):not(') + ') > '; // becomes `:not(a):not(b) > `
+
+    // Selecter that finds elements on the page to which we can jump
+    var selector =
+        fileListingElements.join(', ') +
+        ', ' +
+        notSelector +
+        missingCoverageClasses.join(', ' + notSelector); // becomes `:not(a):not(b) > a, :not(a):not(b) > b`
+
+    // The NodeList of matching elements
+    var missingCoverageElements = document.querySelectorAll(selector);
+
+    var currentIndex;
+
+    function toggleClass(index) {
+        missingCoverageElements
+            .item(currentIndex)
+            .classList.remove('highlighted');
+        missingCoverageElements.item(index).classList.add('highlighted');
+    }
+
+    function makeCurrent(index) {
+        toggleClass(index);
+        currentIndex = index;
+        missingCoverageElements.item(index).scrollIntoView({
+            behavior: 'smooth',
+            block: 'center',
+            inline: 'center'
+        });
+    }
+
+    function goToPrevious() {
+        var nextIndex = 0;
+        if (typeof currentIndex !== 'number' || currentIndex === 0) {
+            nextIndex = missingCoverageElements.length - 1;
+        } else if (missingCoverageElements.length > 1) {
+            nextIndex = currentIndex - 1;
+        }
+
+        makeCurrent(nextIndex);
+    }
+
+    function goToNext() {
+        var nextIndex = 0;
+
+        if (
+            typeof currentIndex === 'number' &&
+            currentIndex < missingCoverageElements.length - 1
+        ) {
+            nextIndex = currentIndex + 1;
+        }
+
+        makeCurrent(nextIndex);
+    }
+
+    return function jump(event) {
+        switch (event.which) {
+            case 78: // n
+            case 74: // j
+                goToNext();
+                break;
+            case 66: // b
+            case 75: // k
+            case 80: // p
+                goToPrevious();
+                break;
+        }
+    };
+})();
+window.addEventListener('keydown', jumpToCode);