@w3-commons/js-build-resources 0.0.1-security → 1.0.4

package/settings-service/src/helpers/commons.ts

@@ -0,0 +1,69 @@
+import { createCipheriv, createDecipheriv, randomBytes } from 'crypto';
+import randomstring from 'randomstring';
+import { logger } from '../logger/logger';
+
+const IV_LENGTH = 16; /** For AES, this is always 16 */
+const CLASS_NAME = 'commons';
+
+export function createRandomToken(): string {
+  return randomstring.generate({
+    length: 48,
+    charset: 'alphanumeric',
+  });
+}
+
+export function encryptSync(text: string, secret: string): string {
+  if (secret.length !== 32) {
+    throw new Error('Invalid length of secret. Must be 256 bytes or 32 characters long');
+  }
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv('aes-256-cbc', Buffer.from(secret), iv);
+  const cipherInitial = cipher.update(Buffer.from(text));
+  const encrypted = Buffer.concat([cipherInitial, cipher.final()]);
+  return `${iv.toString('hex')}:${encrypted.toString('hex')}`;
+}
+
+export function decryptSync(text: string, secret: string): string {
+  if (secret.length !== 32) {
+    throw new Error('Invalid length of secret. Must be 256 bytes or 32 characters long');
+  }
+  const [iv, encrypted]: string[] = text.split(':');
+  const decipher = createDecipheriv('aes-256-cbc', Buffer.from(secret), Buffer.from(iv, 'hex'));
+  const decipherInitial = decipher.update(Buffer.from(encrypted, 'hex'));
+  const decrypted = Buffer.concat([decipherInitial, decipher.final()]);
+
+  return decrypted.toString();
+}
+
+export async function encrypt(text: string, secret: string): Promise<string> {
+  const encryptedValue: string = encryptSync(text, secret);
+  logger.info(`${CLASS_NAME} | ${encrypt.name}() | Encrypted value: ${encryptedValue}`);
+  return encryptedValue;
+}
+
+export async function decrypt(text: string, secret: string): Promise<string> {
+  const decryptedValue: string = decryptSync(text, secret);
+  logger.debug(`${CLASS_NAME} | ${decrypt.name}() | Decrypted value: ${decryptedValue}`);
+  return decryptedValue;
+}
+
+/**
+ * This utility method returns a string array with parsed values of appId & token
+ * from apiKey
+ *
+ * @param apiKey
+ */
+export function parseAppIdAndToken(apiKey: string): string[] {
+  const parsedValues: string[] = [];
+  if (apiKey) {
+    const index: number = apiKey.lastIndexOf(':');
+    if (index > -1) {
+      const appId: string = apiKey.substring(0, index);
+      const token: string = apiKey.split(':').pop() || '';
+      parsedValues[0] = appId;
+      parsedValues[1] = token;
+    }
+  }
+  logger.debug(`${CLASS_NAME} | ${parseAppIdAndToken.name}() | Parsed appid & token: ${parsedValues}`);
+  return parsedValues;
+}

package/settings-service/src/logger/logger.ts

@@ -0,0 +1,17 @@
+import appRootPath from 'app-root-path';
+import * as winston from 'winston';
+import { settings } from '../config/config';
+
+export const logger: winston.Logger = winston.createLogger({
+  level: settings.logLevel,
+  exitOnError: false,
+  transports: [
+    new winston.transports.Console({
+      format: winston.format.json(),
+      silent: process.argv.indexOf('--silent') >= 0,
+    }),
+    new winston.transports.File({
+      filename: `${appRootPath}/settings-service.log`,
+    }),
+  ],
+});

package/settings-service/src/middleware/AuthenticationMiddleware.ts

@@ -0,0 +1,486 @@
+import _ from 'lodash';
+import requestPromise from 'request-promise';
+import { Next, Response, Route } from 'restify';
+import { NotFoundError } from 'restify-errors';
+import { ApiKeyRepoFactory } from '../repo/ApiKeyRepoFactory';
+import W3IdUser from '../types/W3IdUser';
+import { settings } from '../config/config';
+import { logger } from '../logger/logger';
+import { ApiKey } from '../types/ApiKey';
+import { ApiKeyRepo } from '../repo/ApiKeyRepo';
+import { parseAppIdAndToken } from '../helpers/commons';
+import { IRequest } from '../types/IRequest';
+import { IRouteOptions } from '../types/IRouteOptions';
+
+interface UserDetails {
+  email: string;
+  id: string;
+}
+
+enum OperationType {
+  QUERY = 'QUERY',
+  MUTATION = 'MUTATION',
+  REST = 'REST',
+}
+
+interface OperationDetails {
+  operationName: string;
+  operationType: OperationType;
+}
+
+/**
+ * This is a middleware Class which contains methods to perform authentication header validation
+ * and read authentication plugin response.
+ */
+export class AuthenticationMiddleware {
+  public static healthCheckPath: IRouteOptions = {
+    path: '/health/ping',
+    authRequired: false,
+    version: settings.apiVersion,
+  };
+
+  public static settingsPath: IRouteOptions = {
+    path: `/v1/settings/users/:userID/apps/:appID`,
+    authRequired: true,
+    version: settings.apiVersion,
+  };
+
+  public static allSettingsPath: IRouteOptions = {
+    path: `/v1/settings/users/all`,
+    authRequired: true,
+    version: settings.apiVersion,
+  };
+
+  public static allAppSettingsPath: IRouteOptions = {
+    path: `/v1/settings/app/:appID`,
+    authRequired: true,
+    version: settings.apiVersion,
+  };
+
+  public static singleAppSettingPath: IRouteOptions = {
+    path: `/v1/settings/app/:appID/setting/:settingName`,
+    authRequired: true,
+    version: settings.apiVersion,
+  };
+
+  public static apiKeyPath: IRouteOptions = {
+    path: `/v1/settings/apiKey/app/:appID`,
+    authRequired: true,
+    version: settings.apiVersion,
+  };
+
+  public static deleteSettingsPath: IRouteOptions = {
+    path: `/v1/settings/users/:userId`,
+    authRequired: true,
+    version: settings.apiVersion,
+  };
+
+  public static AUTH_POLICY_BEARER = 'bearer';
+
+  public static AUTH_POLICY_API_KEY = 'apiKey';
+
+  static HEADER_AUTHORIZATION = 'headers.authorization';
+  /**
+   * This method checks for the required authentication headers.
+   * @param req
+   * @param res
+   * @param next
+   */
+
+  public static checkAuthentication(req: IRequest, res: Response, next: Next): void {
+    const w3idAuthPluginRequest: IRequest = req;
+    const route: IRouteOptions = (w3idAuthPluginRequest.getRoute() as Route).spec;
+
+    if (!route.authRequired) {
+      return next();
+    }
+    if (process.env.APP_ENVIRONMENT === 'production') {
+      AuthenticationMiddleware.ensureAuthenticated(req, res, next);
+      return undefined;
+    }
+    try {
+      const authorization = _.get(req, AuthenticationMiddleware.HEADER_AUTHORIZATION);
+
+      logger.debug(
+        `${AuthenticationMiddleware.name} | ${AuthenticationMiddleware.checkAuthentication.name}() | Authorization: ${authorization}`,
+      );
+      if (!_.isEmpty(authorization) && authorization.includes('id') && authorization.includes('email')) {
+        const spaceIndex: number = _.indexOf(authorization, ' ');
+        const token = authorization.substring(spaceIndex + 1);
+        const details: UserDetails = JSON.parse(token);
+        req.username = details.id;
+        req.isAuthenticated = true;
+        req.auth_policy = AuthenticationMiddleware.AUTH_POLICY_BEARER;
+        return next();
+      }
+      AuthenticationMiddleware.ensureAuthenticated(req, res, next);
+      return undefined;
+    } catch (err) {
+      logger.error(
+        `${AuthenticationMiddleware.name} | ${AuthenticationMiddleware.checkAuthentication.name}() | Invalid token format: ${err}`,
+      );
+      res.send(400, { code: 400, message: `Bad Request token format: ${err}` });
+      return next(false);
+    }
+  }
+
+  /**
+   * This method checks rules based on authentication headers before authentication.
+   * It can respond with 401 code.
+   * Example: API key based authentication strategy must be used for deleteCascade Mutation.
+   * @param req
+   * @param res
+   * @param next
+   */
+  public static checkPreAuthentication(req: IRequest, res: Response, next: Next): void {
+    const operationDetails: OperationDetails | undefined = AuthenticationMiddleware.getOperationDetails(req);
+    if (operationDetails === undefined) {
+      return next();
+    }
+    const errMessage: string | undefined = AuthenticationMiddleware.getPreAuthenticationErrorMessage(
+      req,
+      operationDetails,
+    );
+    if (errMessage === undefined) {
+      return next();
+    }
+    res.send(401, { code: 401, message: errMessage });
+    return next(false);
+  }
+
+  /**
+   * This method validates user's authentication token using the IBM Security Verify approach
+   *
+   * @param req
+   * @param res
+   * @param next
+   * @returns whether to forward to next layer or not
+   */
+  public static async ensureAuthenticated(req: IRequest, res: Response, next: Next): Promise<void> {
+    try {
+      if (!req.headers.authorization) {
+        logger.info(
+          `${AuthenticationMiddleware.name} | ${AuthenticationMiddleware.ensureAuthenticated.name}() | Missing required authentication header in the request.`,
+        );
+        res.send(401, { code: 401, message: 'Missing required authentication header' });
+        return next(false);
+      }
+      const authorization: string = _.get(req, AuthenticationMiddleware.HEADER_AUTHORIZATION);
+      const bearerToken: string[] = _.split(authorization, ' ');
+      if (bearerToken.length < 2) {
+        logger.error(
+          `${AuthenticationMiddleware.name} | ${AuthenticationMiddleware.ensureAuthenticated.name}() | Missing required authentication token`,
+        );
+        res.send(401, { code: 401, message: 'Missing required authentication token' });
+        return next(false);
+      }
+
+      // Check if request to be authenticated by API key
+      if (bearerToken[0] === AuthenticationMiddleware.AUTH_POLICY_API_KEY) {
+        try {
+          const appId = req.params.appID;
+          const isValidApiKey: boolean = await AuthenticationMiddleware.verifyApiKeyWithAppId(
+            res,
+            bearerToken[1],
+            appId,
+          );
+          if (isValidApiKey) {
+            req.isAuthenticated = true;
+            req.auth_policy = AuthenticationMiddleware.AUTH_POLICY_API_KEY;
+
+            logger.info(
+              `${AuthenticationMiddleware.name} | ${AuthenticationMiddleware.ensureAuthenticated.name}() | ** Authenticated successfully by api key **`,
+            );
+            return next();
+          }
+          res.send(401, { code: 401, message: 'Api key is not valid. Please verify and try again' });
+
+          logger.warn(
+            `${AuthenticationMiddleware.name} | ${AuthenticationMiddleware.ensureAuthenticated.name}() | Unable to authenticate with the provided api key`,
+          );
+          return next(false);
+        } catch (err) {
+          logger.error(
+            `${AuthenticationMiddleware.name} | ${AuthenticationMiddleware.ensureAuthenticated.name}() | Error while validating api token: ${err}`,
+          );
+          return next(false);
+        }
+      }
+
+      try {
+        const authUserInfo = await AuthenticationMiddleware.introspectISV(res, bearerToken[1]);
+        let parsedAuthUserInfo: W3IdUser = {};
+        try {
+          parsedAuthUserInfo = JSON.parse(authUserInfo);
+        } catch (err) {
+          logger.error(
+            `${AuthenticationMiddleware.name} | ${
+              AuthenticationMiddleware.ensureAuthenticated.name
+            }() | JSON parse error: ${JSON.stringify(authUserInfo)}`,
+          );
+        }
+        logger.debug(
+          `${AuthenticationMiddleware.name} | ${
+            AuthenticationMiddleware.ensureAuthenticated.name
+          }() | Response from ISV : ${JSON.stringify(authUserInfo)}`,
+        );
+        const userId = _.get(parsedAuthUserInfo, 'uid');
+        if (!_.isEmpty(userId)) {
+          req.username = userId;
+          req.isAuthenticated = true;
+          req.auth_policy = AuthenticationMiddleware.AUTH_POLICY_BEARER;
+          return next();
+        }
+        res.send(401, { code: 401, message: 'User token is expired or is invalid' });
+        logger.error(
+          `${AuthenticationMiddleware.name} | ${AuthenticationMiddleware.ensureAuthenticated.name}() | Invalid token. Unable to retrieve userId from JWT response.`,
+        );
+        return next(false);
+      } catch (err) {
+        logger.error(
+          `${AuthenticationMiddleware.name} | ${
+            AuthenticationMiddleware.ensureAuthenticated.name
+          }() | Error while validating oidc token: ${JSON.stringify(err)}`,
+        );
+        return next(false);
+      }
+    } catch (err) {
+      logger.error(
+        `${AuthenticationMiddleware.name} | ${AuthenticationMiddleware.ensureAuthenticated.name}() | Error in ensureAuthenticatedv1: ${err}`,
+      );
+      return next(false);
+    }
+  }
+
+  /**
+   * This method validates the JWT based token
+   *
+   * @param res
+   * @param token
+   * @returns userdetails
+   */
+  public static async introspectISV(res: Response, bearerToken: string): Promise<string> {
+    try {
+      const authRes = await requestPromise.post({
+        method: 'POST',
+        uri: settings.isv_introspectionUrl,
+        form: {
+          token: bearerToken,
+          client_id: settings.isv_clientId,
+          client_secret: settings.isv_clientSecret,
+        },
+      });
+      return authRes;
+    } catch (err) {
+      logger.error(
+        `${AuthenticationMiddleware.name} | ${AuthenticationMiddleware.introspectISV.name}() | introspectJWT error: ${err}`,
+      );
+      res.send(401, { code: 401, message: 'Unable to authenticate the user' });
+      throw new Error('Unable to authenticate the user');
+    }
+  }
+
+  /**
+   * This method validates the apikey of the incoming request
+   *
+   * @param res
+   * @param appId
+   * @param apiKey
+   */
+  public static async verifyApiKeyWithAppId(
+    res: Response,
+    apiKey: string,
+    appIdFromParams: string,
+  ): Promise<boolean> {
+    let flag = false;
+    try {
+      const decodedBase64Key = Buffer.from(apiKey, 'base64').toString('utf-8');
+      const [appIdFromToken, apiToken]: string[] = parseAppIdAndToken(decodedBase64Key);
+      if (appIdFromToken !== appIdFromParams && !settings.restrictedAppIdWhitelist.includes(appIdFromToken)) {
+        logger.error(
+          `${AuthenticationMiddleware.name} | ${this.verifyApiKeyWithAppId.name}() | appId from query params does not match appId from bearer token`,
+        );
+        res.send(400, {
+          code: 400,
+          message: `Unable to verify API key: appId you are trying to access does not match bearer token`,
+        });
+        throw new Error('appId you are trying to access does not match bearer token');
+      }
+
+      logger.debug(
+        `${AuthenticationMiddleware.name} | ${this.verifyApiKeyWithAppId.name}() | app id: ${appIdFromToken}`,
+      );
+      logger.debug(
+        `${AuthenticationMiddleware.name} | ${this.verifyApiKeyWithAppId.name}() | app token: ${apiToken}`,
+      );
+
+      if (appIdFromToken && apiToken) {
+        const apiKeyRepo: ApiKeyRepo = ApiKeyRepoFactory.accessOrCreateSingleton();
+        try {
+          if (settings.restrictedAppIdWhitelist.includes(appIdFromToken)) {
+            const masterPersistedKey: ApiKey = await apiKeyRepo.getApiKey(appIdFromToken);
+            if (masterPersistedKey.key === apiToken) {
+              flag = true;
+            }
+          }
+          // Fetch api key from DB and compare with incoming token
+          const persistedKey: ApiKey = await apiKeyRepo.getApiKey(appIdFromToken);
+
+          if (persistedKey.key === apiToken) {
+            flag = true;
+          }
+        } catch (err) {
+          if (err instanceof NotFoundError) {
+            return flag;
+          }
+          throw err;
+        }
+      }
+      return flag;
+    } catch (err) {
+      logger.error(
+        `${AuthenticationMiddleware.name} | ${AuthenticationMiddleware.verifyApiKeyWithAppId.name}() | Api key verification error: ${err}`,
+      );
+      res.send(500, { code: 500, message: `Unable to verify API key: ${err.message}` });
+      throw new Error(`Unable to verify API key: ${err.message}`);
+    }
+  }
+
+  /**
+   *  This method checks rules based on authentication headers after authentication.
+   *  It can respond with 403 code.
+   * Example: Authorization for operations related to API keys.
+   * @param req
+   * @param res
+   * @param next
+   */
+  public static checkPostAuthentication(req: IRequest, res: Response, next: Next): void {
+    const operationDetails: OperationDetails | undefined = AuthenticationMiddleware.getOperationDetails(req);
+    if (operationDetails === undefined) {
+      return next();
+    }
+    if (operationDetails.operationName === 'apiKey') {
+      logger.info(
+        `${AuthenticationMiddleware.name} | ${AuthenticationMiddleware.checkPostAuthentication.name}() | Checking for user authorization`,
+      );
+      if (!AuthenticationMiddleware.isAuthorizedToRequestApiKey(req)) {
+        res.send(403, {
+          code: 403,
+          message: `You are not authorized for ${operationDetails.operationName} operations.`,
+        });
+        return next(false);
+      }
+    }
+    return next();
+  }
+
+  /**
+   * This method verifies if the api key requestor is authorized or not.
+   *
+   * @param req
+   */
+  public static isAuthorizedToRequestApiKey(req: IRequest): boolean {
+    const authenticatedUser: string = _.toUpper(req.username);
+    const apiKeyAuthorizedUserIds: string[] = _.split(settings.apiKeyAuthorizedUserIds, ',');
+    const flag: boolean = req.isAuthenticated && apiKeyAuthorizedUserIds.indexOf(authenticatedUser) !== -1;
+    return flag;
+  }
+
+  private static getPreAuthenticationErrorMessage(
+    req: IRequest,
+    operationDetails: OperationDetails,
+  ): string | undefined {
+    switch (operationDetails.operationType) {
+      case OperationType.REST: {
+        switch (operationDetails.operationName) {
+          case 'settings': {
+            return !AuthenticationMiddleware.usesAuthPolicyBearer(req) &&
+              !AuthenticationMiddleware.usesAuthPolicyApiKey(req)
+              ? `w3id/jwt token or API key based authentication strategy must be used for ${operationDetails.operationName} Query.`
+              : undefined;
+          }
+          case 'appSettings': {
+            return !AuthenticationMiddleware.usesAuthPolicyApiKey(req)
+              ? `API key based authentication strategy must be used for ${operationDetails.operationName} Query.`
+              : undefined;
+          }
+          case 'settingsDelete': {
+            return !AuthenticationMiddleware.usesAuthPolicyApiKey(req)
+              ? // tslint:disable-next-line:max-line-length
+                `API key based authentication strategy must be used for delete settings operation.`
+              : undefined;
+          }
+          case 'getAllUsers': {
+            return !AuthenticationMiddleware.usesAuthPolicyApiKey(req)
+              ? // tslint:disable-next-line:max-line-length
+                `API key based authentication strategy must be used for get all user settings operation.`
+              : undefined;
+          }
+          default:
+            return undefined;
+        }
+      }
+      default:
+        return undefined;
+    }
+  }
+
+  private static getOperationDetails(req: IRequest): OperationDetails | undefined {
+    const pathValue: string = req.path();
+    if (pathValue && pathValue.startsWith('/v1/settings/users/all')) {
+      logger.debug(
+        `${AuthenticationMiddleware.name} | ${this.getOperationDetails.name}() | Path value: ${req.path()}`,
+      );
+      return { operationName: 'getAllUsers', operationType: OperationType.REST };
+    }
+    if (pathValue && pathValue.startsWith('/v1/settings/users') && req.method === 'DELETE') {
+      logger.debug(
+        `${AuthenticationMiddleware.name} | ${this.getOperationDetails.name}() | Path value: ${req.path()}`,
+      );
+      return { operationName: 'settingsDelete', operationType: OperationType.REST };
+    }
+    if (pathValue && pathValue.startsWith('/v1/settings/users')) {
+      logger.debug(
+        `${AuthenticationMiddleware.name} | ${this.getOperationDetails.name}() | Path value: ${req.path()}`,
+      );
+      return { operationName: 'settings', operationType: OperationType.REST };
+    }
+    if (pathValue && pathValue.startsWith('/v1/settings/app')) {
+      logger.debug(
+        `${AuthenticationMiddleware.name} | ${this.getOperationDetails.name}() | Path value: ${req.path()}`,
+      );
+      return { operationName: 'appSettings', operationType: OperationType.REST };
+    }
+    if (pathValue && pathValue.startsWith('/v1/settings/apiKey')) {
+      logger.debug(
+        `${AuthenticationMiddleware.name} | ${this.getOperationDetails.name}() | Path value: ${req.path()}`,
+      );
+      return { operationName: 'apiKey', operationType: OperationType.REST };
+    }
+    return undefined;
+  }
+
+  private static usesAuthPolicyBearer(req: IRequest): boolean {
+    if (!req.headers.authorization) {
+      return false;
+    }
+    const authorization: string = _.get(req, AuthenticationMiddleware.HEADER_AUTHORIZATION);
+    const bearerToken: string[] = _.split(authorization, ' ');
+    if (bearerToken.length < 2) {
+      return false;
+    }
+    return bearerToken[0].toLowerCase() === AuthenticationMiddleware.AUTH_POLICY_BEARER.toLowerCase();
+  }
+
+  private static usesAuthPolicyApiKey(req: IRequest): boolean {
+    if (!req.headers.authorization) {
+      return false;
+    }
+    const authorization: string = _.get(req, AuthenticationMiddleware.HEADER_AUTHORIZATION);
+    const bearerToken: string[] = _.split(authorization, ' ');
+    if (bearerToken.length < 2) {
+      return false;
+    }
+    return bearerToken[0] === AuthenticationMiddleware.AUTH_POLICY_API_KEY;
+  }
+}

package/settings-service/src/middleware/AuthenticationMiddlewareFactory.ts

@@ -0,0 +1,10 @@
+import { AuthenticationMiddleware } from './AuthenticationMiddleware';
+
+export class AuthenticationMiddlewareFactory {
+  private static singleton: AuthenticationMiddleware;
+
+  static accessOrCreateSingleton(): AuthenticationMiddleware {
+    this.singleton = this.singleton || new AuthenticationMiddleware();
+    return this.singleton;
+  }
+}