kuzzle 2.16.8 → 2.17.0

package/lib/model/security/role.js

@@ -1,3 +1,4 @@
+"use strict";
 /*
  * Kuzzle, a backend software, self-hostable and ready to use
  * to power modern apps
@@ -18,202 +19,169 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
-'use strict';
-
-const kerror = require('../../kerror');
-const { has, isPlainObject } = require('../../util/safeObject');
-
-const assertionError = kerror.wrap('api', 'assert');
-
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Role = void 0;
+const kerror_1 = __importDefault(require("../../kerror"));
+const safeObject_1 = require("../../util/safeObject");
+const array_1 = require("../../util/array");
+const assertionError = kerror_1.default.wrap('api', 'assert');
 /**
  * @class Role
  */
 class Role {
-  constructor () {
-    this.controllers = {};
-  }
-
-  /**
-   * @param {Request} request
-   * @param {Array} restrictedTo
-   * @returns {boolean}
-   */
-  isActionAllowed (request, restrictedTo = []) {
-    if (!global.kuzzle) {
-      throw kerror.get('security', 'role', 'uninitialized', this._id);
-    }
-
-    if (this.controllers === undefined || this.controllers === null) {
-      return false;
-    }
-
-    let controllerRights;
-
-    // @deprecated - the "memoryStorage" alias should be removed in the next
-    // major version
-    // Handles the memory storage controller aliases: ms, memoryStorage
-    if ((request.input.controller === 'ms' || request.input.controller === 'memoryStorage')
-      && (this.controllers.ms || this.controllers.memoryStorage)
-    ) {
-      controllerRights = this.controllers.ms || this.controllers.memoryStorage;
-    }
-    else if (has(this.controllers, request.input.controller)) {
-      controllerRights = this.controllers[request.input.controller];
-    }
-    else if (this.controllers['*'] !== undefined) {
-      controllerRights = this.controllers['*'];
-    }
-    else {
-      return false;
-    }
-
-    if (controllerRights.actions === undefined) {
-      return false;
-    }
-
-    let actionRights;
-
-    if (has(controllerRights.actions, request.input.action)) {
-      actionRights = controllerRights.actions[request.input.action];
-    }
-    else if (controllerRights.actions['*'] !== undefined) {
-      actionRights = controllerRights.actions['*'];
-    }
-    else {
-      return false;
-    }
-
-    if (typeof actionRights !== 'boolean' || !actionRights) {
-      return false;
-    }
-
-    return checkRestrictions(request, restrictedTo);
-  }
-
-  /**
-   * @returns {Promise}
-   */
-  async validateDefinition () {
-    if (this.controllers === undefined || this.controllers === null) {
-      throw assertionError.get('missing_argument', `${this._id}.controllers`);
-    }
-
-    if (!isPlainObject(this.controllers)) {
-      throw assertionError.get('invalid_type', `${this._id}.controllers`, 'object');
-    }
-
-    if (Object.keys(this.controllers).length === 0) {
-      throw assertionError.get('empty_argument', `${this._id}.controllers`);
-    }
-
-    Object
-      .entries(this.controllers)
-      .forEach(entry => this.validateControllerRights(...entry));
-  }
-
-  /**
-   * Verifies that a controller rights definition is correct
-   *
-   * @param  {Array.<string, Object>}
-   * @throws If the controller definition is invalid
-   */
-  validateControllerRights (name, controller) {
-    if (!isPlainObject(controller)) {
-      throw assertionError.get('invalid_type', name, 'object');
-    }
-
-    if (Object.keys(controller).length === 0) {
-      throw assertionError.get('empty_argument', name);
-    }
-
-    if (!has(controller, 'actions')) {
-      throw assertionError.get('missing_argument', name);
-    }
-
-    if (!isPlainObject(controller.actions)) {
-      throw assertionError.get('invalid_type', `${name}.actions`, 'object');
-    }
-
-    if (Object.keys(controller.actions).length === 0) {
-      throw assertionError.get('empty_argument', `${name}.actions`);
-    }
-
-    for (const [actionName, action] of Object.entries(controller.actions)) {
-      if (typeof action !== 'boolean') {
-        throw assertionError.get('invalid_type', `${name}.actions.${actionName}`, 'boolean');
-      }
-    }
-  }
-
-  /**
-   * Checks if current role allows to log in
-   *
-   * @returns {boolean}
-   */
-  canLogIn () {
-    for (const controllerKey of ['auth', '*']) {
-      if (this.controllers[controllerKey]) {
-        const controller = this.controllers[controllerKey];
-
-        for (const actionKey of ['login', '*']) {
-          const action = controller.actions[actionKey];
-
-          if (typeof action === 'boolean' && action) {
+    constructor() {
+        this.controllers = {};
+    }
+    /**
+     * @param {Request} request
+     * @returns {boolean}
+     */
+    isActionAllowed(request) {
+        if (!global.kuzzle) {
+            throw kerror_1.default.get('security', 'role', 'uninitialized', this._id);
+        }
+        if (this.controllers === undefined || this.controllers === null) {
+            return false;
+        }
+        let controllerRights;
+        // @deprecated - the "memoryStorage" alias should be removed in the next
+        // major version
+        // Handles the memory storage controller aliases: ms, memoryStorage
+        if ((request.input.controller === 'ms' || request.input.controller === 'memoryStorage')
+            && (this.controllers.ms || this.controllers.memoryStorage)) {
+            controllerRights = this.controllers.ms || this.controllers.memoryStorage;
+        }
+        else if ((0, safeObject_1.has)(this.controllers, request.input.controller)) {
+            controllerRights = this.controllers[request.input.controller];
+        }
+        else if (this.controllers['*'] !== undefined) {
+            controllerRights = this.controllers['*'];
+        }
+        else {
+            return false;
+        }
+        if (controllerRights.actions === undefined) {
+            return false;
+        }
+        let actionRights;
+        if ((0, safeObject_1.has)(controllerRights.actions, request.input.action)) {
+            actionRights = controllerRights.actions[request.input.action];
+        }
+        else if (controllerRights.actions['*'] !== undefined) {
+            actionRights = controllerRights.actions['*'];
+        }
+        else {
+            return false;
+        }
+        if (typeof actionRights !== 'boolean' || !actionRights) {
+            return false;
+        }
+        return true;
+    }
+    /**
+     * @returns {Promise}
+     */
+    async validateDefinition() {
+        if (this.controllers === undefined || this.controllers === null) {
+            throw assertionError.get('missing_argument', `${this._id}.controllers`);
+        }
+        if (!(0, safeObject_1.isPlainObject)(this.controllers)) {
+            throw assertionError.get('invalid_type', `${this._id}.controllers`, 'object');
+        }
+        if (Object.keys(this.controllers).length === 0) {
+            throw assertionError.get('empty_argument', `${this._id}.controllers`);
+        }
+        Object
+            .entries(this.controllers)
+            .forEach(entry => this.validateControllerRights(...entry));
+    }
+    /**
+     * @param {String} index
+     * @param {String} collection
+     * @param {Map<string, string[]>} restrictedTo Restricted indexes
+     * @returns {Boolean} resolves to a Boolean value
+     */
+    checkRestrictions(index, collection, restrictedTo) {
+        // If no restrictions, we allow the action:
+        if (!restrictedTo || restrictedTo.size === 0) {
             return true;
-          }
         }
-      }
+        // If the request's action does not refer to an index, restrictions are
+        // useless for this action (=> ignore them)
+        if (!index) {
+            return true;
+        }
+        // If the index is not in the restrictions, the action is not allowed
+        if (!restrictedTo.has(index)) {
+            return false;
+        }
+        const collections = restrictedTo.get(index);
+        // if no collections given on the restriction, the action is allowed for all
+        // collections:
+        if (!collections || collections.length === 0) {
+            return true;
+        }
+        // Find collection index in array
+        // If the collection is not in the array, the action is not allowed
+        // The array must be sorted for binary search to work
+        const indexOfCollection = (0, array_1.binarySearch)(collections, (collectionName) => {
+            if (collection > collectionName) {
+                return 1;
+            }
+            return collection < collectionName ? -1 : 0;
+        });
+        return indexOfCollection > -1; // Collection found
+    }
+    /**
+     * Verifies that a controller rights definition is correct
+     *
+     * @param  {Array.<string, Object>}
+     * @throws If the controller definition is invalid
+     */
+    validateControllerRights(name, controller) {
+        if (!(0, safeObject_1.isPlainObject)(controller)) {
+            throw assertionError.get('invalid_type', name, 'object');
+        }
+        if (Object.keys(controller).length === 0) {
+            throw assertionError.get('empty_argument', name);
+        }
+        if (!(0, safeObject_1.has)(controller, 'actions')) {
+            throw assertionError.get('missing_argument', name);
+        }
+        if (!(0, safeObject_1.isPlainObject)(controller.actions)) {
+            throw assertionError.get('invalid_type', `${name}.actions`, 'object');
+        }
+        if (Object.keys(controller.actions).length === 0) {
+            throw assertionError.get('empty_argument', `${name}.actions`);
+        }
+        for (const [actionName, action] of Object.entries(controller.actions)) {
+            if (typeof action !== 'boolean') {
+                throw assertionError.get('invalid_type', `${name}.actions.${actionName}`, 'boolean');
+            }
+        }
+    }
+    /**
+     * Checks if current role allows to log in
+     *
+     * @returns {boolean}
+     */
+    canLogIn() {
+        for (const controllerKey of ['auth', '*']) {
+            if (this.controllers[controllerKey]) {
+                const controller = this.controllers[controllerKey];
+                for (const actionKey of ['login', '*']) {
+                    const action = controller.actions[actionKey];
+                    if (typeof action === 'boolean' && action) {
+                        return true;
+                    }
+                }
+            }
+        }
+        return false;
     }
-
-    return false;
-  }
-}
-
-/**
- * @param {Request} request
- * @param {object} restriction a restriction object on an index
- * @returns {Boolean}
- */
-function checkIndexRestriction(request, restriction) {
-  if (restriction.index !== request.input.args.index) {
-    return false;
-  }
-
-  // if no collections given on the restriction, the action is allowed for all
-  // collections:
-  if (!restriction.collections || restriction.collections.length === 0) {
-    return true;
-  }
-
-  // If the request's action does not refer to a collection, the restriction
-  // is useless for this action (=> ignored):
-  if (!request.input.args.collection) {
-    return true;
-  }
-
-  return restriction.collections.includes(request.input.args.collection);
-}
-
-/**
- * @param {Request} request
- * @param {Array} restrictedTo
- * @returns {Boolean} resolves to a Boolean value
- */
-function checkRestrictions(request, restrictedTo) {
-  // If no restrictions, we allow the action:
-  if (restrictedTo.length === 0) {
-    return true;
-  }
-
-  // If the request's action does not refer to an index, restrictions are
-  // useless for this action (=> ignore them)
-  if (!request.input.args.index) {
-    return true;
-  }
-
-  return restrictedTo
-    .some(restriction => checkIndexRestriction(request, restriction));
 }
-
-module.exports = Role;
+exports.Role = Role;
+//# sourceMappingURL=role.js.map

package/lib/model/security/user.d.ts

@@ -0,0 +1,29 @@
+import { Profile } from './profile';
+import { KuzzleRequest } from '../../../index';
+/**
+ * @class User
+ */
+export declare class User {
+    _id: string;
+    profileIds: string[];
+    constructor();
+    /**
+     * @returns {Promise<Profile[]>}
+     */
+    getProfiles(): Promise<Profile[]>;
+    /**
+     * @returns {Promise}
+     */
+    getRights(): Promise<{}>;
+    /**
+     * @param {Request} request
+     * @returns {Promise.<boolean>}
+     */
+    isActionAllowed(request: KuzzleRequest): Promise<boolean>;
+    /**
+     * Verifies that every targets are allowed by at least one profile,
+     * while skipping the ones that includes a wildcard since they will be expanded
+     * later on, based on index and collections authorized for the given user.
+     */
+    private areTargetsAllowed;
+}

package/lib/model/security/user.js

@@ -1,3 +1,4 @@
+"use strict";
 /*
  * Kuzzle, a backend software, self-hostable and ready to use
  * to power modern apps
@@ -18,62 +19,93 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
-'use strict';
-
-const Rights = require('./rights');
-const Bluebird = require('bluebird');
-const _ = require('lodash');
-const kerror = require('../../kerror');
-
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.User = void 0;
+const rights_1 = __importDefault(require("./rights"));
+const bluebird_1 = __importDefault(require("bluebird"));
+const lodash_1 = __importDefault(require("lodash"));
+const kerror_1 = __importDefault(require("../../kerror"));
 /**
  * @class User
  */
 class User {
-  constructor() {
-    this._id = null;
-    this.profileIds = [];
-  }
-
-  /**
-   * @returns {Promise<Profile[]>}
-   */
-  getProfiles() {
-    if (!global.kuzzle) {
-      return kerror.reject('security', 'user', 'uninitialized', this._id);
+    constructor() {
+        this._id = null;
+        this.profileIds = [];
     }
-
-    return global.kuzzle.ask('core:security:profile:mGet', this.profileIds);
-  }
-
-  /**
-   * @returns {Promise}
-   */
-  async getRights() {
-    const profiles = await this.getProfiles();
-    const results = await Bluebird.map(profiles, p => p.getRights());
-
-    const rights = {};
-
-    results.forEach(right => _.assignWith(rights, right, Rights.merge));
-
-    return rights;
-  }
-
-  /**
-   * @param {Request} request
-   * @returns {Promise.<boolean>}
-   */
-  async isActionAllowed(request) {
-    if (this.profileIds === undefined || this.profileIds.length === 0) {
-      return false;
+    /**
+     * @returns {Promise<Profile[]>}
+     */
+    getProfiles() {
+        if (!global.kuzzle) {
+            return kerror_1.default.reject('security', 'user', 'uninitialized', this._id);
+        }
+        return global.kuzzle.ask('core:security:profile:mGet', this.profileIds);
+    }
+    /**
+     * @returns {Promise}
+     */
+    async getRights() {
+        const profiles = await this.getProfiles();
+        const results = await bluebird_1.default.map(profiles, p => p.getRights());
+        const rights = {};
+        results.forEach(right => lodash_1.default.assignWith(rights, right, rights_1.default.merge));
+        return rights;
+    }
+    /**
+     * @param {Request} request
+     * @returns {Promise.<boolean>}
+     */
+    async isActionAllowed(request) {
+        if (this.profileIds === undefined || this.profileIds.length === 0) {
+            return false;
+        }
+        const targets = request.getArray('targets', []);
+        const profiles = await this.getProfiles();
+        if (targets.length === 0) {
+            for (const profile of profiles) {
+                if (await profile.isActionAllowed(request)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+        // Every target must be allowed by at least one profile
+        return this.areTargetsAllowed(profiles, targets);
+    }
+    /**
+     * Verifies that every targets are allowed by at least one profile,
+     * while skipping the ones that includes a wildcard since they will be expanded
+     * later on, based on index and collections authorized for the given user.
+     */
+    async areTargetsAllowed(profiles, targets) {
+        const profilesPolicies = await bluebird_1.default.map(profiles, profile => profile.getAllowedPolicies());
+        // Every target must be allowed by at least one profile
+        for (const target of targets) {
+            // Skip targets with no Index or Collection
+            if (!target.index || !target.collections) {
+                continue;
+            }
+            // TODO: Support Wildcard
+            if (target.index.includes('*')) {
+                return false;
+            }
+            for (const collection of target.collections) {
+                // TODO: Support Wildcard
+                if (collection.includes('*')) {
+                    return false;
+                }
+                const isTargetAllowed = profilesPolicies.some(policies => policies.some(policy => policy.role.checkRestrictions(target.index, collection, policy.restrictedTo)));
+                if (!isTargetAllowed) {
+                    return false;
+                }
+            }
+        }
+        return true;
     }
-
-    const profiles = await this.getProfiles();
-    const result = await Bluebird.map(profiles, p => p.isActionAllowed(request));
-
-    return result.includes(true);
-  }
 }
-
-module.exports = User;
+exports.User = User;
+//# sourceMappingURL=user.js.map

package/lib/model/storage/apiKey.js

@@ -50,7 +50,7 @@ class ApiKey extends BaseModel {
     }
   }
 
-  serialize ({ includeToken=false } = {}) {
+  serialize ({ includeToken = false } = {}) {
     const serialized = super.serialize();
 
     if (! includeToken) {
@@ -90,7 +90,7 @@ class ApiKey extends BaseModel {
     user,
     expiresIn,
     description,
-    { creatorId=null, apiKeyId=null, refresh, bypassMaxTTL=false } = {}
+    { creatorId = null, apiKeyId = null, refresh, bypassMaxTTL = false } = {}
   ) {
     const token = await global.kuzzle.ask('core:security:token:create', user, {
       bypassMaxTTL,

package/lib/model/storage/baseModel.js

@@ -73,7 +73,7 @@ class BaseModel {
    *
    * @returns {Promise}
    */
-  async save ({ userId=null, refresh } = {}) {
+  async save ({ userId = null, refresh } = {}) {
     if (! this.__persisted) {
       const { _id, _source } = await global.kuzzle.internalIndex.create(
         this.constructor.collection,
@@ -123,7 +123,7 @@ class BaseModel {
    */
   serialize () {
     return {
-      _id : this._id,
+      _id: this._id,
       _source: this._source
     };
   }
@@ -195,7 +195,7 @@ class BaseModel {
     await Bluebird.map(
       documents,
       document => this._instantiateFromDb(document)._afterDelete(),
-      {concurrency: 10}); // limits the load on storage services
+      { concurrency: 10 }); // limits the load on storage services
 
     if (refresh) {
       await global.kuzzle.internalIndex.refreshCollection(this.collection);

package/lib/service/cache/redis.js

@@ -102,7 +102,7 @@ class Redis extends Service {
    * Setup a ping interval to keep the connection alive
    * Every 60 seconds a ping is sent to Redis
    */
-  _setupKeepAlive(delay) {
+  _setupKeepAlive (delay) {
     this.client.on('ready', async () => {
       await this._ping();
       this.pingIntervalID = setInterval(this._ping.bind(this), delay);
@@ -117,7 +117,7 @@ class Redis extends Service {
   /**
    * Ping Redis
    */
-  async _ping() {
+  async _ping () {
     try {
       await this.client.ping();
     }
@@ -134,7 +134,7 @@ class Redis extends Service {
 
     for (const command of commandsList) {
       this.commands[command] = async (...args) => {
-        if (!this.connected) {
+        if (! this.connected) {
           throw kerror.get('notconnected');
         }
 
@@ -156,7 +156,7 @@ class Redis extends Service {
 
     arr.forEach(item => {
       item = item.trim();
-      if (item.length > 0 && !item.startsWith('#')) {
+      if (item.length > 0 && ! item.startsWith('#')) {
         const keyValuePair = item.split(':');
         info[keyValuePair[0]] = keyValuePair[1];
       }
@@ -199,7 +199,7 @@ class Redis extends Service {
    * @returns {Promise}
    */
   mExecute (commands) {
-    if (!Array.isArray(commands) || commands.length === 0) {
+    if (! Array.isArray(commands) || commands.length === 0) {
       return Bluebird.resolve([]);
     }
 
@@ -211,7 +211,7 @@ class Redis extends Service {
   _searchNodeKeys (node, pattern) {
     return new Bluebird(resolve => {
       let keys = [];
-      const stream = node.scanStream({match: pattern});
+      const stream = node.scanStream({ match: pattern });
 
       stream.on('data', resultKeys => {
         keys = keys.concat(resultKeys);
@@ -243,7 +243,7 @@ class Redis extends Service {
    * @param  {{onlyIfNew: boolean, ttl: number}} [options]
    * @return {boolean} true if the key was set, false otherwise
    */
-  async store (key, value, {onlyIfNew = false, ttl = 0} = {}) {
+  async store (key, value, { onlyIfNew = false, ttl = 0 } = {}) {
     const command = [key, value];
 
     if (onlyIfNew) {