kuzzle 2.14.0 → 2.14.5

package/lib/api/controllers/securityController.js

@@ -25,7 +25,7 @@ const { isEmpty, isNil } = require('lodash');
 const Bluebird = require('bluebird');
 const { v4: uuidv4 } = require('uuid');
 
-const { KuzzleError } = require('../../kerror/errors');
+const { KuzzleError, BadRequestError } = require('../../kerror/errors');
 const { Request } = require('../request');
 const { NativeController } = require('./baseController');
 const formatProcessing = require('../../core/auth/formatProcessing');
@@ -320,19 +320,33 @@ class SecurityController extends NativeController {
   }
 
   /**
-   * Return a list of roles that specify a right for the given indexes
+   * Search for roles
    *
    * @param {Request} request
    * @returns {Promise<Object>}
    */
-  async searchRoles(request) {
+  async searchRoles (request) {
     const from = request.getInteger('from', 0);
     const size = this._getSearchPageSize(request);
-    const controllers = request.getBodyArray('controllers', []);
+    const lang = request.getLangParam();
+    const body = request.getBody({});
+
+    if (body.controllers && body.query) {
+      throw new BadRequestError('You cannot specifify both "controllers" and "query". Prefer the usage of "query" property with a search query.');
+    }
+
+    if (body.controllers) {
+      // Type checking
+      request.getBodyArray('controllers');
+    }
+
+    if (lang === 'koncorde') {
+      body.query = await this.translateKoncorde(body.query || {});
+    }
 
     const response = await this.ask(
       'core:security:role:search',
-      controllers,
+      body,
       { from, size });
 
     response.hits = response.hits.map(formatProcessing.serializeRole);
@@ -367,7 +381,7 @@ class SecurityController extends NativeController {
    * @param {Request} request
    * @returns {Promise<Object>}
    */
-  async createRole(request) {
+  async createRole (request) {
     const id = request.getId();
     const body = request.getBody();
     const userId = request.getKuid();
@@ -515,20 +529,42 @@ class SecurityController extends NativeController {
   }
 
   /**
-   * Returns a list of profiles that contain a given set of roles
+   * Search for profiles
    *
    * @param {Request} request
    * @returns {Promise<Object>}
    */
-  async searchProfiles(request) {
-    const roles = request.getBodyArray('roles', []);
-    const from = request.getInteger('from', 0);
+  async searchProfiles (request) {
     const size = this._getSearchPageSize(request);
-    const scroll = request.getScrollTTLParam();
+    const { from, scrollTTL, searchBody } = request.getSearchParams();
+    const lang = request.getLangParam();
+    const body = request.getBody({});
+
+    if (body.roles && body.query) {
+      throw new BadRequestError('You cannot specifify both "roles" and "query". Prefer the usage of "query" property with a search query.');
+    }
+
+    if (body.roles) {
+      const roles = request.getBodyArray('roles');
+
+      request.addDeprecation('auto-version', 'Usage of the "roles" property is deprecated. Prefer the usage of "query" property with a search query.');
+
+      if (roles.length > 0) {
+        searchBody.query = { terms: { 'policies.roleId': roles } };
+      }
+      else {
+        searchBody.query = { match_all: {} };
+      }
+      delete body.roles;
+    }
+
+    if (lang === 'koncorde') {
+      searchBody.query = await this.translateKoncorde(searchBody.query || {});
+    }
 
-    const response = await this.ask('core:security:profile:search', roles, {
+    const response = await this.ask('core:security:profile:search', searchBody, {
       from,
-      scroll,
+      scroll: scrollTTL,
       size,
     });
 

package/lib/api/funnel.js

@@ -269,10 +269,11 @@ class Funnel {
       && !this._isOriginAuthorized(request.input.headers.origin)
     ) {
       debug('Reject request, unauthorized origin %s', request.input.headers.origin);
-      callback(
+      return this._executeError(
         kerror.get('api', 'process', 'unauthorized_origin', request.input.headers.origin),
-        request);
-      return 1;
+        request,
+        true,
+        callback);
     }
 
     try {
@@ -288,7 +289,7 @@ class Funnel {
         debug('Starting request %s:%s [%s]: %j', req.input.controller, req.input.action, req.id, req.input);
 
         global.kuzzle.asyncStore.run(() => {
-          
+
           global.kuzzle.asyncStore.set('REQUEST', req);
           global.kuzzle.pipe('request:beforeExecution', req)
             .then(modifiedRequest => {
@@ -325,7 +326,7 @@ class Funnel {
             .catch(err => {
               debug('Error processing request %s: %a', req.id, err);
               return this._executeError(err, req, true, callback);
-            });  
+            });
         });
       }, this, request);
 
@@ -410,31 +411,19 @@ class Funnel {
     // When a request is made with cookieAuth set to true
     // We try to use the auth token cookie if present as auth token
     // otherwise check for auth token as input
-    if (request.input.headers
-      && has(request.input.headers, 'cookie')
-    ) {
+    if (request.input.headers && has(request.input.headers, 'cookie')) {
       let cookie;
       try {
         cookie = Cookie.parse(request.input.headers.cookie);
       }
       catch (error) {
-        throw kerror.get(
-          'security',
-          'cookie',
-          'invalid'
-        );
+        throw kerror.get('security','cookie', 'invalid');
       }
 
       // if cookie is present and not null, and a token is present we should throw because we don't know which one to use
-      if (cookie.authToken
-        && cookie.authToken !== 'null'
-      ) {
-        if (!global.kuzzle.config.http.cookieAuthentication) {
-          throw kerror.get(
-            'security',
-            'cookie',
-            'unsupported'
-          );
+      if (cookie.authToken && cookie.authToken !== 'null') {
+        if (! global.kuzzle.config.http.cookieAuthentication) {
+          throw kerror.get('security', 'cookie', 'unsupported');
         }
 
         if (request.input.jwt) {
@@ -840,8 +829,8 @@ class Funnel {
 
   /**
    * Verifies if requests sent from a specific origin are allowed
-   * @param {string} origin 
-   * @returns 
+   * @param {string} origin
+   * @returns
    */
   _isOriginAuthorized (origin) {
     const httpConfig = global.kuzzle.config.http;

package/lib/api/openApiGenerator.js

@@ -94,6 +94,12 @@ module.exports = function generateOpenApi () {
       return;
     }
 
+    // If custom specification, return as it is
+    if (route.openapi) {
+      response.paths[route.formattedPath][route.verb] = route.openapi;
+      return;
+    }
+
     if (route.info === undefined) {
       route.info = {};
     }

package/lib/api/request/kuzzleRequest.js

@@ -73,7 +73,7 @@ const _deprecations = 'deprecations\u200b';
  */
 class KuzzleRequest {
     constructor(data, options) {
-        this[_internalId] = nanoid_1.nanoid();
+        this[_internalId] = (0, nanoid_1.nanoid)();
         this[_status] = 102;
         this[_input] = new requestInput_1.RequestInput(data);
         this[_context] = new requestContext_1.RequestContext(options);
@@ -86,7 +86,7 @@ class KuzzleRequest {
         this[_input].headers = this[_context].connection.misc.headers;
         this.id = data.requestId
             ? assert.assertString('requestId', data.requestId)
-            : nanoid_1.nanoid();
+            : (0, nanoid_1.nanoid)();
         this[_timestamp] = data.timestamp || Date.now();
         // handling provided options
         if (options !== undefined && options !== null) {
@@ -651,7 +651,7 @@ class KuzzleRequest {
      * @param errorName name to use in error messages
      */
     _getBoolean(obj, name, errorName) {
-        let value = safeObject_1.get(obj, name);
+        let value = (0, safeObject_1.get)(obj, name);
         // In HTTP, booleans are flags: if it's in the querystring, it's set,
         // whatever its value.
         // If a user needs to unset the option, they need to remove it from the
@@ -680,7 +680,7 @@ class KuzzleRequest {
      * @param def default value
      */
     _getNumber(obj, name, errorName, def = null) {
-        let value = safeObject_1.get(obj, name);
+        let value = (0, safeObject_1.get)(obj, name);
         if (value === undefined || value === null) {
             if (def !== null) {
                 return def;
@@ -702,7 +702,7 @@ class KuzzleRequest {
      * @param def default value
      */
     _getInteger(obj, name, errorName, def = null) {
-        let value = safeObject_1.get(obj, name);
+        let value = (0, safeObject_1.get)(obj, name);
         if (value === undefined || value === null) {
             if (def !== null) {
                 return def;
@@ -724,7 +724,7 @@ class KuzzleRequest {
      * @param def default value
      */
     _getString(obj, name, errorName, def = null) {
-        const value = safeObject_1.get(obj, name);
+        const value = (0, safeObject_1.get)(obj, name);
         if (value === undefined || value === null) {
             if (def !== null) {
                 return def;
@@ -745,7 +745,7 @@ class KuzzleRequest {
      * @param def default value
      */
     _getArray(obj, name, errorName, def = null) {
-        const value = safeObject_1.get(obj, name);
+        const value = (0, safeObject_1.get)(obj, name);
         if (value === undefined || value === null) {
             if (def !== null) {
                 return def;
@@ -766,14 +766,14 @@ class KuzzleRequest {
      * @param def default value
      */
     _getObject(obj, name, errorName, def = null) {
-        const value = safeObject_1.get(obj, name);
+        const value = (0, safeObject_1.get)(obj, name);
         if (value === undefined || value === null) {
             if (def !== null) {
                 return def;
             }
             throw assertionError.get('missing_argument', errorName);
         }
-        if (!safeObject_1.isPlainObject(value)) {
+        if (!(0, safeObject_1.isPlainObject)(value)) {
             throw assertionError.get('invalid_type', errorName, 'object');
         }
         return value;

package/lib/config/default.config.js

@@ -301,9 +301,17 @@ module.exports = {
           profiles: {
             dynamic: 'false',
             properties: {
+              tags: { type: 'keyword' },
               policies: {
                 properties:  {
-                  roleId: { type: 'keyword' }
+                  roleId: { type: 'keyword' },
+                  restrictedTo: {
+                    type: 'nested',
+                    properties: {
+                      index: { type: 'keyword' },
+                      collections: { type: 'keyword' }
+                    }
+                  }
                 }
               }
             }
@@ -311,6 +319,7 @@ module.exports = {
           roles: {
             dynamic: 'false',
             properties: {
+              tags: { type: 'keyword' },
               controllers: {
                 dynamic: 'false',
                 properties: {}

package/lib/core/auth/tokenManager.d.ts

@@ -0,0 +1,65 @@
+import '../../types/Global';
+import { Token } from '../../model/security/token';
+/**
+ * Maintains a list of valid tokens used by connected protocols.
+ *
+ * When a token expires, this module cleans up the corresponding connection's
+ * subscriptions if any, and notify the user
+ */
+export declare class TokenManager {
+    private tokens;
+    private anonymousUserId;
+    private tokensByConnection;
+    private timer;
+    constructor();
+    init(): Promise<void>;
+    runTimer(): void;
+    /**
+     * Link a connection and a token.
+     * If one or another expires, associated subscriptions are cleaned up
+     * @param token
+     * @param connectionId
+     */
+    link(token: Token, connectionId: string): void;
+    /**
+     * Unlink a connection from its associated token
+     *
+     * @param token
+     * @param connectionId
+     */
+    unlink(token: Token, connectionId: string): void;
+    /**
+     * Called when a token expires before its time (e.g. following a
+     * auth:logout action)
+     * This method removes all maintained links and cleans up the
+     * hotel clerk
+     *
+     * @param token
+     */
+    expire(token: Token): Promise<void>;
+    /**
+     * Refresh an existing token with a new one
+     *
+     * @param oldToken
+     * @param newToken
+     */
+    refresh(oldToken: Token, newToken: Token): void;
+    checkTokensValidity(): Promise<void>;
+    /**
+     * Gets the token matching user & connection if any
+     */
+    getConnectedUserToken(userId: string, connectionId: string): Token | null;
+    /**
+     * Returns the kuid associated to a connection
+     */
+    getKuidFromConnection(connectionId: string): string | null;
+    /**
+     * Adds token to internal collections
+     *
+     * @param token
+     * @param connectionId
+     */
+    private add;
+    private removeConnectionLinkedToToken;
+    private deleteByIndex;
+}