kuzzle 2.17.8 → 2.19.0

package/lib/core/network/protocols/httpwsProtocol.js

@@ -256,10 +256,15 @@ class HttpWsProtocol extends Protocol {
   }
 
   wsOnUpgradeHandler (res, req, context) {
+    const headers = {};
+    // Extract headers from uWS request
+    req.forEach((header, value) => {
+      headers[header] = value;
+    });
+
     res.upgrade(
       {
-        cookie: req.getHeader('cookie'),
-        origin: req.getHeader('origin'),
+        headers,
       },
       req.getHeader('sec-websocket-key'),
       req.getHeader('sec-websocket-protocol'),
@@ -273,10 +278,7 @@ class HttpWsProtocol extends Protocol {
     const connection = new ClientConnection(
       this.name,
       [ip],
-      {
-        cookie: socket.cookie,
-        origin: socket.origin
-      }
+      socket.headers
     );
 
     this.entryPoint.newConnection(connection);
@@ -553,10 +555,16 @@ class HttpWsProtocol extends Protocol {
     if (type.includes('multipart/form-data')) {
       const parts = uWS.getParts(content, message.headers['content-type']);
       message.content = {};
+      
+      if (! parts) {
+        cb();
+        return;
+      }
 
       for (const part of parts) {
         if (part.data.byteLength > this.maxFormFileSize) {
           cb(HTTP_FILE_TOO_LARGE_ERROR);
+          return;
         }
 
         if (part.filename) {

package/lib/core/plugin/plugin.js

@@ -300,6 +300,13 @@ class Plugin {
         'Controller definition must be an object');
     }
 
+    if (! isPlainObject(definition.actions)) {
+      throw assertionError.get(
+        'invalid_controller_definition',
+        name,
+        'Controller definition "actions" property must be an object');
+    }
+
     for (const [action, actionDefinition] of Object.entries(definition.actions)) {
       const actionProperties = Object.keys(actionDefinition);
 

package/lib/core/shared/sdk/embeddedSdk.d.ts

@@ -1,12 +1,12 @@
-import { RealtimeController, Notification, JSONObject, ScopeOption, UserOption, Kuzzle } from 'kuzzle-sdk';
-import { RequestPayload, ResponsePayload } from '../../../types';
+import { RealtimeController, Notification, JSONObject, ScopeOption, UserOption, Kuzzle, RequestPayload } from 'kuzzle-sdk';
+import { ResponsePayload } from '../../../types';
 interface EmbeddedRealtime extends RealtimeController {
     /**
      * Subscribes by providing a set of filters: messages, document changes
      * and, optionally, user events matching the provided filters will generate
      * real-time notifications.
      *
-     * @see https://docs.kuzzle.io/core/2/guides/main-concepts/6-realtime-engine/
+     * @see https://docs.kuzzle.io/core/2/guides/main-concepts/realtime-engine/
      *
      * @param index Index name
      * @param collection Collection name

package/lib/core/shared/sdk/embeddedSdk.js

@@ -48,11 +48,36 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.EmbeddedSDK = void 0;
 const kuzzle_sdk_1 = require("kuzzle-sdk");
+const lodash_1 = __importDefault(require("lodash"));
 const funnelProtocol_1 = require("./funnelProtocol");
 const safeObject_1 = require("../../../util/safeObject");
 const kerror = __importStar(require("../../../kerror"));
 const impersonatedSdk_1 = __importDefault(require("./impersonatedSdk"));
 const contextError = kerror.wrap('plugin', 'context');
+const forbiddenEmbeddedActions = {
+    'auth': new Set([
+        'checkRights',
+        'createApiKey',
+        'createMyCredentials',
+        'credentialsExist',
+        'deleteApiKey',
+        'getCurrentUser',
+        'getMyCredentials',
+        'getMyRights',
+        'getStrategies',
+        'logout',
+        'refreshToken',
+        'searchApiKeys',
+        'updateMyCredentials',
+        'updateSelf',
+        'validateMyCredentials',
+    ]),
+};
+const warnEmbeddedActions = {
+    'auth': {
+        'login': 'EmbeddedSDK.login is deprecated, use user impersonation instead',
+    }
+};
 /**
  * Kuzzle embedded SDK to make API calls inside applications or plugins.
  */
@@ -91,6 +116,14 @@ class EmbeddedSDK extends kuzzle_sdk_1.Kuzzle {
                 ? false
                 : options.propagate;
         }
+        if (forbiddenEmbeddedActions[request.controller] !== undefined
+            && forbiddenEmbeddedActions[request.controller].has(request.action)) {
+            throw kerror.get('api', 'process', 'forbidden_embedded_sdk_action', request.controller, request.action, ', use user impersonation or security controller instead');
+        }
+        const warning = lodash_1.default.get(warnEmbeddedActions, [request.controller, request.action]);
+        if (warning) {
+            global.kuzzle.log.warn(warning);
+        }
         return super.query(request, options);
     }
 }

package/lib/core/shared/sdk/funnelProtocol.d.ts

@@ -1,5 +1,4 @@
-import { KuzzleEventEmitter } from 'kuzzle-sdk';
-import { RequestPayload } from '../../../types';
+import { KuzzleEventEmitter, RequestPayload } from 'kuzzle-sdk';
 export declare class FunnelProtocol extends KuzzleEventEmitter {
     private id;
     private connectionId;

package/lib/kerror/codes/0-core.json

@@ -154,6 +154,41 @@
           "class": "GatewayTimeoutError"
         }
       }
+    },
+    "debugger": {
+      "code": 5,
+      "errors": {
+        "not_enabled": {
+          "description": "The debugger is not enabled",
+          "code": 1,
+          "message": "Debugger is not enabled",
+          "class": "PreconditionError"
+        },
+        "monitor_already_running": {
+          "description": "The monitor is already running",
+          "code": 2,
+          "message": "The monitoring of \"%s\" is already running",
+          "class": "PreconditionError"
+        },
+        "monitor_not_running": {
+          "description": "The monitor is not running",
+          "code": 3,
+          "message": "The monitoring of \"%s\" is not running",
+          "class": "PreconditionError"
+        },
+        "native_debug_protocol_usage_denied": {
+          "description": "Usage of the native debug protocol is not allowed",
+          "code": 4,
+          "message": "Usage of the native debug protocol is not allowed",
+          "class": "PreconditionError"
+        },
+        "method_not_found": {
+          "description": "Debugger method not found",
+          "code": 5,
+          "message": "Debugger method \"%s\" not found.",
+          "class": "PreconditionError"
+        }
+      }
     }
   }
 }

package/lib/kerror/codes/1-services.json

@@ -273,7 +273,7 @@
         "multiple_indice_alias": {
           "description": "The unique association between an indice and its alias has not been respected",
           "code": 48,
-          "message": "An \"%s\" is not allowed to be associated with multiple \"%\". This is probably not linked to this request but rather the consequence of previous actions on ElasticSearch.",
+          "message": "An %s is not allowed to be associated with multiple %s. This is probably not linked to this request but rather the consequence of previous actions on ElasticSearch.",
           "class": "PreconditionError"
         },
         "invalid_multi_index_collection_usage": {

package/lib/kerror/codes/2-api.json

@@ -182,6 +182,12 @@
           "code": 13,
           "message": "Rejected: Too many login attempts per second",
           "class": "TooManyRequestsError"
+        },
+        "forbidden_embedded_sdk_action": {
+          "description": "A forbidden EmbdeddedSDK action has been called",
+          "code": 14,
+          "message": "The action %s:%s has been called while it is forbidden in the EmbeddedSDK%s.",
+          "class": "PluginImplementationError"
         }
       }
     }

package/lib/kerror/errors/kuzzleError.d.ts

@@ -10,7 +10,7 @@ export declare class KuzzleError extends Error {
     status: number;
     /**
      * Error unique code
-     * @see https://docs.kuzzle.io/core/2/core/2/api/essentials/error-codes/
+     * @see https://docs.kuzzle.io/core/2/api/errors/error-codes/
      */
     code: number;
     /**

package/lib/kuzzle/kuzzle.d.ts

@@ -1 +1 @@
-export {};
+export declare const BACKEND_IMPORT_KEY = "backend:init:import";

package/lib/kuzzle/kuzzle.js

@@ -46,6 +46,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.BACKEND_IMPORT_KEY = void 0;
 const path_1 = __importDefault(require("path"));
 const murmurhash_native_1 = require("murmurhash-native");
 const json_stable_stringify_1 = __importDefault(require("json-stable-stringify"));
@@ -78,7 +79,8 @@ const cluster_1 = __importDefault(require("../cluster"));
 const package_json_1 = require("../../package.json");
 const name_generator_1 = require("../util/name-generator");
 const openapi_1 = require("../api/openapi");
-const BACKEND_IMPORT_KEY = 'backend:init:import';
+const crypto_1 = require("../util/crypto");
+exports.BACKEND_IMPORT_KEY = 'backend:init:import';
 let _kuzzle = null;
 Reflect.defineProperty(global, 'kuzzle', {
     configurable: true,
@@ -201,7 +203,7 @@ class Kuzzle extends kuzzleEventEmitter_1.default {
             this.log.info('[✔] Cluster initialized');
         }
         else {
-            id = (0, name_generator_1.generateRandomName)('knode');
+            id = name_generator_1.NameGenerator.generateRandomName({ prefix: 'knode' });
             this.log.info('[X] Cluster disabled: single node mode.');
         }
         return id;
@@ -368,11 +370,10 @@ class Kuzzle extends kuzzleEventEmitter_1.default {
      */
     async _waitForImportToFinish() {
         const importTypes = Object.keys(this.importTypes);
-        while (importTypes.length) {
+        for (const importType of importTypes) {
             // If the import is done, we pop it from the queue to check the next one
-            if (await this.ask('core:cache:internal:get', `${BACKEND_IMPORT_KEY}:${importTypes[0]}`)) {
-                importTypes.shift();
-                continue;
+            if (await this.ask('core:cache:internal:get', `${exports.BACKEND_IMPORT_KEY}:${importType}`)) {
+                return;
             }
             await bluebird_1.default.delay(1000);
         }
@@ -399,8 +400,26 @@ class Kuzzle extends kuzzleEventEmitter_1.default {
         const lockedMutex = [];
         try {
             for (const [type, importMethod] of Object.entries(this.importTypes)) {
+                const importPayload = {};
+                switch (type) {
+                    case 'fixtures':
+                        lodash_1.default.set(importPayload, 'toSupport.fixtures', toSupport.fixtures);
+                        break;
+                    case 'mappings':
+                        lodash_1.default.set(importPayload, 'toSupport.mappings', toSupport.mappings);
+                        lodash_1.default.set(importPayload, 'toImport.mappings', toImport.mappings);
+                        break;
+                    case 'permissions':
+                        lodash_1.default.set(importPayload, 'toSupport.securities', toSupport.securities);
+                        lodash_1.default.set(importPayload, 'toImport.profiles', toImport.profiles);
+                        lodash_1.default.set(importPayload, 'toImport.roles', toImport.roles);
+                        lodash_1.default.set(importPayload, 'toImport.users', toImport.users);
+                        break;
+                }
+                const importPayloadHash = (0, crypto_1.sha256)((0, json_stable_stringify_1.default)(importPayload));
                 const mutex = new mutex_1.Mutex(`backend:import:${type}`, { timeout: 0 });
-                const initialized = await this.ask('core:cache:internal:get', `${BACKEND_IMPORT_KEY}:${type}`) === '1';
+                const existingHash = await this.ask('core:cache:internal:get', `${exports.BACKEND_IMPORT_KEY}:${type}`);
+                const initialized = existingHash === importPayloadHash;
                 const locked = await mutex.lock();
                 await importMethod({ toImport, toSupport }, {
                     firstCall: !initialized && locked,
@@ -409,7 +428,7 @@ class Kuzzle extends kuzzleEventEmitter_1.default {
                 });
                 if (!initialized && locked) {
                     lockedMutex.push(mutex);
-                    await this.ask('core:cache:internal:store', `${BACKEND_IMPORT_KEY}:${type}`, 1, { ttl: 5 * 60 * 1000 });
+                    await this.ask('core:cache:internal:store', `${exports.BACKEND_IMPORT_KEY}:${type}`, importPayloadHash);
                 }
             }
             await this._waitForImportToFinish();

package/lib/model/security/user.js

@@ -47,9 +47,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.User = void 0;
-const rights_1 = __importDefault(require("./rights"));
-const bluebird_1 = __importDefault(require("bluebird"));
 const lodash_1 = __importDefault(require("lodash"));
+const rights_1 = __importDefault(require("./rights"));
 const kerror = __importStar(require("../../kerror"));
 /**
  * @class User
@@ -73,7 +72,7 @@ class User {
      */
     async getRights() {
         const profiles = await this.getProfiles();
-        const results = await bluebird_1.default.map(profiles, p => p.getRights());
+        const results = await Promise.all(profiles.map(p => p.getRights()));
         const rights = {};
         results.forEach(right => lodash_1.default.assignWith(rights, right, rights_1.default.merge));
         return rights;
@@ -97,15 +96,15 @@ class User {
             return false;
         }
         // Every target must be allowed by at least one profile
-        return this.areTargetsAllowed(profiles, targets);
+        return this.areTargetsAllowed(request, profiles, targets);
     }
     /**
      * Verifies that every targets are allowed by at least one profile,
      * while skipping the ones that includes a wildcard since they will be expanded
      * later on, based on index and collections authorized for the given user.
      */
-    async areTargetsAllowed(profiles, targets) {
-        const profilesPolicies = await bluebird_1.default.map(profiles, profile => profile.getAllowedPolicies());
+    async areTargetsAllowed(request, profiles, targets) {
+        const profilesPolicies = await Promise.all(profiles.map(profile => profile.getAllowedPolicies(request)));
         // Every target must be allowed by at least one profile
         for (const target of targets) {
             // Skip targets with no Index or Collection

package/lib/model/storage/apiKey.js

@@ -21,16 +21,11 @@
 
 'use strict';
 
-const crypto = require('crypto');
-
+const { sha256 } = require('../../util/crypto');
 const debug = require('../../util/debug')('models:storage:apiKey');
 const kerror = require('../../kerror');
 const BaseModel = require('./baseModel');
 
-function sha256 (string) {
-  return crypto.createHash('sha256').update(string).digest('hex');
-}
-
 class ApiKey extends BaseModel {
   constructor (_source, _id = null) {
     super(_source, _id);