kuzzle 2.49.1 → 2.50.0-beta.3

package/dist/lib/core/security/roleRepository.js

@@ -0,0 +1,445 @@
+/*
+ * Kuzzle, a backend software, self-hostable and ready to use
+ * to power modern apps
+ *
+ * Copyright 2015-2022 Kuzzle
+ * mailto: support AT kuzzle.io
+ * website: http://kuzzle.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+"use strict";
+const Bluebird = require("bluebird");
+const kuzzleStateEnum = require("../../kuzzle/kuzzleStateEnum");
+const { Role } = require("../../model/security/role");
+const { ObjectRepository } = require("../shared/ObjectRepository");
+const kerror = require("../../kerror");
+const didYouMean = require("../../util/didYouMean");
+const { cacheDbEnum } = require("../cache/cacheDbEnum");
+const roleRightsError = kerror.wrap("security", "role");
+/**
+ * @class RoleRepository
+ * @extends ObjectRepository
+ */
+class RoleRepository extends ObjectRepository {
+    /**
+     * @constructor
+     * @param {SecurityModule} securityModule
+     */
+    constructor(securityModule) {
+        super({
+            cache: cacheDbEnum.INTERNAL,
+            store: global.kuzzle.internalIndex,
+        });
+        this.module = securityModule;
+        this.collection = "roles";
+        this.ObjectConstructor = Role;
+        this.roles = new Map();
+        this.logger = global.kuzzle.log.child("core:security:roleRepository");
+    }
+    init() {
+        /**
+         * Creates a new role
+         * @param  {String} id - role identifier / name
+         * @param  {Object} content
+         * @param  {Object} opts - force, refresh, userId (used for metadata)
+         * @returns {Role}
+         * @throws If already exists or if the content is invalid
+         */
+        global.kuzzle.onAsk("core:security:role:create", (id, content, opts) => this.create(id, content, opts));
+        /**
+         * Creates a new role, or replaces it if it already exists
+         * @param  {String} id
+         * @param  {Object} content
+         * @param  {Object} opts - force, refresh, userId (used for metadata)
+         * @returns {Role}
+         * @throws If the content is invalid
+         */
+        global.kuzzle.onAsk("core:security:role:createOrReplace", (id, content, opts) => this.createOrReplace(id, content, opts));
+        /**
+         * Deletes an existing role
+         * @param  {String} id
+         * @param  {Object} opts - refresh
+         * @throws If the role doesn't exist, if it is protected, or if it's
+         *         still in use
+         */
+        global.kuzzle.onAsk("core:security:role:delete", (id, opts) => this.deleteById(id, opts));
+        /**
+         * Loads and returns an existing role
+         * @param  {String} id - role identifier
+         * @returns {Role}
+         * @throws {NotFoundError} If the role doesn't exist
+         */
+        global.kuzzle.onAsk("core:security:role:get", (id) => this.load(id));
+        /**
+         * Invalidates the RAM cache from the given role ID. If none is provided,
+         * the entire cache is emptied.
+         *
+         * @param  {String} [id] - role identifier
+         */
+        global.kuzzle.onAsk("core:security:role:invalidate", (id) => this.invalidate(id));
+        /**
+         * Gets multiple roles
+         * @param  {Array} ids
+         * @returns {Array.<Role>}
+         * @throws If one or more roles don't exist
+         */
+        global.kuzzle.onAsk("core:security:role:mGet", (ids) => this.loadRoles(ids));
+        /**
+         * Searches roles associated to a provided list of API controllers
+         * @param  {Array.<String>} controllers
+         * @param  {Number} from
+         * @param  {Number} size
+         * @returns {Object} Search results
+         */
+        global.kuzzle.onAsk("core:security:role:search", (controllers, opts) => this.searchRole(controllers, opts));
+        /**
+         * Removes all existing roles and invalidates the RAM cache
+         * @param  {Object} opts (refresh)
+         */
+        global.kuzzle.onAsk("core:security:role:truncate", (opts) => this.truncate(opts));
+        /**
+         * Updates an existing profile using a partial content
+         * @param  {String} id - profile identifier to update
+         * @param  {Object} content - partial content to apply
+         * @param  {Object} opts - force, refresh, retryOnConflict,
+         *                         userId (used for metadata)
+         * @returns {Role} Updated role
+         */
+        global.kuzzle.onAsk("core:security:role:update", (id, content, opts) => this.update(id, content, opts));
+        /**
+         * Verifies that existing roles are sane
+         */
+        global.kuzzle.onAsk("core:security:verify", () => this.sanityCheck());
+    }
+    /**
+     * From a list of role ids, retrieves the matching Role objects.
+     *
+     * @param {Array} ids The role ids to load
+     * @param {Object} options - resetCache (false)
+     * @returns {Promise.<Array.<Role>>}
+     */
+    loadRoles(ids) {
+        const roles = [];
+        for (const id of ids) {
+            let role = this.roles.get(id);
+            if (!role) {
+                role = this.loadOneFromDatabase(id).then((r) => {
+                    this.roles.set(id, r);
+                    return r;
+                });
+                this.roles.set(id, role);
+            }
+            roles.push(role);
+        }
+        return Bluebird.all(roles);
+    }
+    /**
+     * Creates a new role, or create/replace a role
+     *
+     * @param {String} id
+     * @param {Object} content
+     * @param {Object} [opts]
+     * @returns {Role}
+     */
+    async _createOrReplace(id, content, { force = false, method, refresh = "false", userId = null } = {}) {
+        const dto = {
+            ...content,
+            // Always last, in case content contains these keys
+            _id: id,
+            _kuzzle_info: {
+                author: userId,
+                createdAt: Date.now(),
+                updatedAt: null,
+                updater: null,
+            },
+        };
+        const role = await this.fromDTO(dto);
+        return this.validateAndSaveRole(role, { force, method, refresh });
+    }
+    /**
+     * Creates a new role
+     *
+     * @param {String} id
+     * @param {Object} content
+     * @param {Object} [opts]
+     * @returns {Role}
+     */
+    async create(id, content, opts) {
+        return this._createOrReplace(id, content, {
+            method: "create",
+            ...opts,
+        });
+    }
+    /**
+     * Creates or replaces a role
+     *
+     * @param {String} id
+     * @param {Object} content
+     * @param {Object} [opts]
+     * @returns {Role}
+     */
+    async createOrReplace(id, content, opts) {
+        return this._createOrReplace(id, content, {
+            method: "createOrReplace",
+            ...opts,
+        });
+    }
+    /**
+     * Updates a role (replaces the entire content)
+     *
+     * @todo  (breaking change) make this function able to handle partial updates
+     *        instead of replacing the entire role content (hint: _.merge)
+     *
+     * @param  {String} id
+     * @param  {Object} content
+     * @param  {Object} [opts]
+     * @returns {Promise}
+     */
+    async update(id, content, { force, refresh, retryOnConflict, userId } = {}) {
+        const updated = await this.fromDTO({
+            // /!\ order is important
+            ...content,
+            // Always last, in case content contains these keys
+            _id: id,
+            _kuzzle_info: {
+                updatedAt: Date.now(),
+                updater: userId,
+            },
+        });
+        return this.validateAndSaveRole(updated, {
+            force,
+            method: "replace",
+            refresh,
+            retryOnConflict,
+        });
+    }
+    /**
+     * Get from database the document that represent the role given in parameter
+     *
+     * @param {string} id
+     * @returns {Promise.<Role>} role
+     * @throws {NotFoundError} If the corresponding role doesn't exist
+     */
+    async load(id) {
+        if (this.roles.has(id)) {
+            return this.roles.get(id);
+        }
+        const role = await this.loadOneFromDatabase(id);
+        await this.roles.set(role._id, role);
+        return role;
+    }
+    /**
+     * @override
+     */
+    async loadOneFromDatabase(id) {
+        try {
+            return await super.loadOneFromDatabase(id);
+        }
+        catch (err) {
+            if (err.status === 404) {
+                throw kerror.get("security", "role", "not_found", id);
+            }
+            throw err;
+        }
+    }
+    /**
+     * @param {Object} body Search body containing either "query" or "controllers"
+     * @param {Object} options
+     */
+    async searchRole(body, { from = 0, size = 9999 } = {}) {
+        if (!body.controllers) {
+            return this.search(body, { from, size });
+        }
+        const searchResults = await this.search({ query: {}, sort: [] }, { from: 0, size: 9999 }); // /!\ NOT the options values
+        const result = {
+            hits: searchResults.hits,
+            total: searchResults.total,
+        };
+        if (body.controllers.length > 0) {
+            result.hits = searchResults.hits.filter((role) => Object.keys(role.controllers).some((key) => key === "*" || body.controllers.includes(key)));
+            result.total = result.hits.length;
+        }
+        result.hits = result.hits.slice(from, from + size);
+        return result;
+    }
+    /**
+     * Given a Role object, validates its definition and if OK, persist it to the database.
+     *
+     * @param {Role} role
+     * @param {object} [options] The persistence options
+     * @returns Promise
+     */
+    async validateAndSaveRole(role, options = {}) {
+        await role.validateDefinition();
+        if (role._id === "anonymous" && !role.canLogIn()) {
+            throw kerror.get("security", "role", "login_required");
+        }
+        this.checkRoleNativeRights(role);
+        this.checkRolePluginsRights(role, options);
+        await this.persistToDatabase(role, options);
+        const updatedRole = await this.loadOneFromDatabase(role._id);
+        await this.roles.set(role._id, updatedRole);
+        return updatedRole;
+    }
+    /**
+     * Given a Role object, checks if its controllers and actions exist.
+     *
+     * @param {Role} role
+     */
+    checkRoleNativeRights(role) {
+        Object.keys(role.controllers).forEach((roleController) => {
+            if (roleController !== "*" &&
+                !global.kuzzle.funnel.isNativeController(roleController)) {
+                return;
+            }
+            if (roleController === "*") {
+                Object.keys(role.controllers["*"].actions).forEach((action) => {
+                    if (action !== "*") {
+                        throw roleRightsError.get("unknown_action", role._id, action, "*");
+                    }
+                });
+            }
+            else {
+                const controller = global.kuzzle.funnel.controllers.get(roleController);
+                const actions = Object.keys(role.controllers[roleController].actions);
+                actions.forEach((action) => {
+                    if (action !== "*" && !controller._isAction(action)) {
+                        throw roleRightsError.get("unknown_action", role._id, action, roleController, didYouMean(action, controller.__actions));
+                    }
+                });
+            }
+        });
+    }
+    /**
+     * Given a Role object, checks if its controllers and actions exist in plugins.
+     *
+     * @param {Role} role
+     * @param {Force} force
+     */
+    checkRolePluginsRights(role, { force = false, forceWarn = false } = {}) {
+        const plugins = global.kuzzle.pluginsManager;
+        for (const roleController of Object.keys(role.controllers)) {
+            if (roleController === "*" ||
+                global.kuzzle.funnel.isNativeController(roleController)) {
+                return;
+            }
+            if (!plugins.isController(roleController)) {
+                if (!force) {
+                    throw roleRightsError.get("unknown_controller", role._id, roleController, didYouMean(roleController, plugins.getControllerNames()));
+                }
+                // Do not print any warning if Kuzzle is not started or if warn is not forced.
+                // We need this to load rights without displaying warning at startup
+                // because plugins controllers are loaded after default roles
+                // then we need to display non-existing controllers with the sanity check
+                // made after plugins controllers loading.
+                if (global.kuzzle.state === kuzzleStateEnum.RUNNING || forceWarn) {
+                    this.logger.warn(`The role "${role._id}" gives access to the non-existing controller "${roleController}".`);
+                }
+                return;
+            }
+            const roleActions = Object.keys(role.controllers[roleController].actions);
+            for (const action of roleActions) {
+                if (action !== "*" && !plugins.isAction(roleController, action)) {
+                    if (!force) {
+                        throw roleRightsError.get("unknown_action", role._id, action, roleController, didYouMean(action, plugins.getActions(roleController)));
+                    }
+                    // see the other comment
+                    if (global.kuzzle.state === kuzzleStateEnum.RUNNING || forceWarn) {
+                        this.logger.warn(`The role "${role._id}" gives access to the non-existing action "${action}" for the controller "${roleController}".`);
+                    }
+                }
+            }
+        }
+    }
+    /**
+     * Fetching roles and check for each of them for invalid plugin rights.
+     * If there are some, Kuzzle will log a warning.
+     */
+    async sanityCheck() {
+        const roles = await this.search({}, {});
+        for (const role of roles.hits) {
+            this.checkRolePluginsRights(role, { force: true, forceWarn: true });
+        }
+    }
+    /**
+     * Deletes a role
+     *
+     * @param {String} id
+     * @param {object} [options]
+     * @returns Promise
+     */
+    async deleteById(id, options) {
+        const role = await this.load(id);
+        return this.delete(role, options);
+    }
+    /**
+     * @override
+     */
+    async delete(role, { refresh = "false" } = {}) {
+        if (["admin", "default", "anonymous"].indexOf(role._id) > -1) {
+            throw kerror.get("security", "role", "cannot_delete");
+        }
+        const query = { term: { "policies.roleId": role._id } };
+        const response = await this.module.profile.search({ query }, {
+            from: 0,
+            size: 1,
+        });
+        if (response.total > 0) {
+            throw kerror.get("security", "role", "in_use", role._id);
+        }
+        await this.deleteFromDatabase(role._id, { refresh });
+        this.roles.delete(role._id);
+    }
+    /**
+     * From a Role object, returns an object ready to be persisted
+     *
+     * @param {Role} role
+     * @returns {object}
+     */
+    serializeToDatabase(role) {
+        const serializedRole = {};
+        Object.keys(role).forEach((key) => {
+            if (key !== "_id" && key !== "restrictedTo") {
+                serializedRole[key] = role[key];
+            }
+        });
+        return serializedRole;
+    }
+    /**
+     * @override
+     */
+    async truncate(opts) {
+        try {
+            await super.truncate(opts);
+        }
+        finally {
+            this.invalidate();
+        }
+    }
+    /**
+     * Invalidate the cache entries for the given role. If none is provided,
+     * the entire cache is emptied.
+     * @param {string} [roleId]
+     */
+    invalidate(roleId) {
+        if (!roleId) {
+            this.roles.clear();
+        }
+        else {
+            this.roles.delete(roleId);
+        }
+    }
+}
+module.exports = RoleRepository;
+//# sourceMappingURL=roleRepository.js.map

package/dist/lib/core/security/securityLoader.d.ts

@@ -0,0 +1,24 @@
+export = SecurityLoader;
+/**
+ * @class SecurityLoader
+ */
+declare class SecurityLoader {
+    logger: import("../../kuzzle/Logger").Logger;
+    init(): Promise<void>;
+    load(permissions?: {}, { force, onExistingUsers, onExistingUsersWarning, refresh, user, }?: {
+        force: any;
+        onExistingUsers?: string;
+        onExistingUsersWarning?: boolean;
+        refresh?: string;
+        user?: any;
+    }): Promise<void>;
+    _create(action: any, objects: any, collection: any, { force, refresh, user }?: {
+        force: any;
+        refresh: any;
+        user: any;
+    }): Promise<void>;
+    _getUsersToLoad(users: any, { onExistingUsers, warning }?: {
+        onExistingUsers: any;
+        warning: any;
+    }): Promise<any>;
+}

package/dist/lib/core/security/securityLoader.js

@@ -0,0 +1,125 @@
+/*
+ * Kuzzle, a backend software, self-hostable and ready to use
+ * to power modern apps
+ *
+ * Copyright 2015-2022 Kuzzle
+ * mailto: support AT kuzzle.io
+ * website: http://kuzzle.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+"use strict";
+const { isEmpty } = require("lodash");
+const Bluebird = require("bluebird");
+const { Request } = require("../../api/request");
+const { assertIsObject } = require("../../util/requestAssertions");
+const kerror = require("../../kerror");
+/**
+ * @class SecurityLoader
+ */
+class SecurityLoader {
+    constructor() {
+        this.logger = global.kuzzle.log.child("core:security:loader");
+    }
+    async init() {
+        /**
+         * Loads permissions into the app
+         * @param {Object} permissions Object containing roles, profiles and users
+         * @param {Object} opts - force, onExistingUsers (fail), onExistingUsersWarning (false), user (null)
+         */
+        global.kuzzle.onAsk("core:security:load", (json, opts) => this.load(json, opts));
+    }
+    async load(permissions = {}, { force, onExistingUsers = "fail", onExistingUsersWarning = false, refresh = "false", user = null, } = {}) {
+        assertIsObject(permissions);
+        await this._create("createOrReplaceRole", permissions.roles, "roles", {
+            force,
+            refresh,
+            user,
+        });
+        await this._create("createOrReplaceProfile", permissions.profiles, "profiles", { refresh, user });
+        const usersToLoad = await this._getUsersToLoad(permissions.users, {
+            onExistingUsers,
+            warning: onExistingUsersWarning,
+        });
+        await this._create("createUser", usersToLoad, "users", { refresh, user });
+    }
+    async _create(action, objects, collection, { force, refresh, user } = {}) {
+        if (!objects) {
+            return;
+        }
+        assertIsObject(objects);
+        const promises = [];
+        for (const [_id, body] of Object.entries(objects)) {
+            assertIsObject(body);
+            const request = new Request({
+                _id,
+                action,
+                body,
+                controller: "security",
+                force,
+                refresh,
+            }, { user });
+            promises.push(global.kuzzle.funnel.processRequest(request));
+        }
+        await Bluebird.all(promises);
+        await global.kuzzle.internalIndex.refreshCollection(collection);
+    }
+    async _getUsersToLoad(users, { onExistingUsers, warning } = {}) {
+        if (isEmpty(users)) {
+            return users;
+        }
+        const ids = Object.keys(users);
+        const mGetUsers = new Request({
+            action: "mGetUsers",
+            body: { ids },
+            controller: "security",
+        });
+        const { result } = await global.kuzzle.funnel.processRequest(mGetUsers);
+        const existingUserIds = result.hits.map(({ _id }) => _id);
+        if (existingUserIds.length === 0) {
+            return users;
+        }
+        if (onExistingUsers === "fail") {
+            throw kerror.get("security", "user", "prevent_overwrite");
+        }
+        else if (onExistingUsers === "skip") {
+            if (warning) {
+                this.logger.info(`Users skipped during import: ${existingUserIds}`);
+            }
+            return Object.entries(users).reduce((memo, [userId, content]) => {
+                if (!existingUserIds.includes(userId)) {
+                    memo[userId] = content;
+                }
+                return memo;
+            }, {});
+        }
+        else if (onExistingUsers === "overwrite") {
+            if (warning) {
+                this.logger.info(`Users overwritten during import: ${existingUserIds}`);
+            }
+            const mDeleteUsers = new Request({
+                action: "mDeleteUsers",
+                body: { ids: existingUserIds },
+                controller: "security",
+                refresh: "wait_for",
+            });
+            await global.kuzzle.funnel.processRequest(mDeleteUsers);
+            return users;
+        }
+        else {
+            throw kerror.get("api", "assert", "unexpected_argument", "onExistingUsers", ["skip", "overwrite", "fail"]);
+        }
+    }
+}
+module.exports = SecurityLoader;
+//# sourceMappingURL=securityLoader.js.map

package/{lib → dist/lib}/core/security/tokenRepository.js

@@ -302,7 +302,7 @@ class TokenRepository extends ObjectRepository_1.ObjectRepository {
                     userId: decoded._id,
                 },
             },
-        });
+        }, {});
         const targetApiKey = userApiKeys?.find((apiKey) => apiKey.fingerprint === fingerprint);
         if (!targetApiKey) {
             throw securityError.get("invalid");

package/dist/lib/core/security/userRepository.d.ts

@@ -0,0 +1,81 @@
+export = UserRepository;
+/**
+ * @class UserRepository
+ * @extends ObjectRepository
+ */
+declare class UserRepository extends ObjectRepository<any> {
+    /**
+     * @param {SecurityModule} securityModule
+     * @constructor
+     */
+    constructor(securityModule: SecurityModule);
+    module: SecurityModule;
+    ObjectConstructor: typeof User;
+    anonymousUser: User;
+    init(): Promise<void>;
+    /**
+     * Creates a user
+     * @param {String} id
+     * @param {Array} profileIds - profiles to associate to this user
+     * @param {Object} content
+     * @param {Object} [opts]
+     */
+    create(id: string, profileIds: any[], content: any, { userId, refresh }?: any): Promise<any>;
+    /**
+     * Updates a user's content
+     * @param  {String} id
+     * @param  {Array}  profileIds
+     * @param  {Object} content
+     * @param  {Object} [opts]
+     * @returns {Promise}
+     */
+    update(id: string, profileIds: any[], content: any, { refresh, retryOnConflict, userId }?: any): Promise<any>;
+    /**
+     * Replaces a user's content
+     * @param  {String} id
+     * @param  {Object} content
+     * @param  {Object} [opts]
+     * @returns {Promise}
+     */
+    replace(id: string, profileIds: any, content: any, { refresh, userId }?: {
+        refresh?: string;
+        userId: any;
+    }): Promise<any>;
+    /**
+     * Loads a user
+     *
+     * @param {string} id
+     * @returns {Promise.<User>}
+     * @throws {NotFoundError} If the user is not found
+     */
+    load(id: string): Promise<User>;
+    persist(user: any, options?: {}): Promise<any>;
+    /**
+     * @param dto
+     * @returns {Promise<User>}
+     */
+    fromDTO(dto: any): Promise<User>;
+    /**
+     * Deletes a user from memory and database, along with its related tokens and
+     * strategies.
+     *
+     * @param {String} id
+     * @param {Object} [options]
+     * @returns {Promise}
+     */
+    deleteById(id: string, opts: any): Promise<any>;
+    /**
+     * @override
+     */
+    override delete(user: any, { refresh }?: {
+        refresh?: string;
+    }): Promise<void>;
+    _removeUserStrategies(user: any): Promise<void>;
+    /**
+     * @override
+     */
+    override loadOneFromDatabase(id: any): Promise<any>;
+    adminExists(): Promise<boolean>;
+}
+import { ObjectRepository } from "../shared/ObjectRepository";
+import { User } from "../../model/security/user";