From 31020c9f07dc114f6942955c43f84414eda339d0 Mon Sep 17 00:00:00 2001 From: Valtteri Kantanen Date: Tue, 16 Apr 2024 13:50:29 +0300 Subject: [PATCH] Implement fetching person's sisu roles from importer --- docker-compose.yml | 2 + package-lock.json | 120 +++++++++++++++++++++++++++++++++++++ package.json | 1 + src/auth/sisuRoles.ts | 48 +++++++++++++++ src/index.ts | 9 ++- src/util/config.ts | 11 ++-- src/util/importerClient.ts | 20 +++++++ 7 files changed, 205 insertions(+), 6 deletions(-) create mode 100644 src/auth/sisuRoles.ts create mode 100644 src/util/importerClient.ts diff --git a/docker-compose.yml b/docker-compose.yml index bb350f4..c701ca5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,6 +6,8 @@ services: context: ./ dockerfile: dev.Dockerfile image: jami_dev + env_file: + - .env environment: - DATABASE_URL=postgres://postgres:postgres@db:5432/postgres - PORT=3000 diff --git a/package-lock.json b/package-lock.json index 7130583..142c962 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11,6 +11,7 @@ "dependencies": { "@sentry/node": "^7.27.0", "@sentry/tracing": "^7.27.0", + "axios": "^1.6.8", "dotenv": "^16.0.3", "express": "^4.18.2", "morgan": "^1.10.0", @@ -1902,6 +1903,21 @@ "resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz", "integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==" }, + "node_modules/asynckit": { + "version": "0.4.0", + "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", + "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" + }, + "node_modules/axios": { + "version": "1.6.8", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz", + "integrity": "sha512-v/ZHtJDU39mDpyBoFVkETcd/uNdxrWRrg3bKpOKzXFA6Bvqopts6ALSMU3y6ijYxbw2B+wPrIv46egTzJXCLGQ==", + "dependencies": { + "follow-redirects": "^1.15.6", + "form-data": "^4.0.0", + "proxy-from-env": "^1.1.0" + } + }, "node_modules/balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", @@ -2231,6 +2247,17 @@ "text-hex": "1.0.x" } }, + "node_modules/combined-stream": { + "version": "1.0.8", + "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", + "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", + "dependencies": { + "delayed-stream": "~1.0.0" + }, + "engines": { + "node": ">= 0.8" + } + }, "node_modules/concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", @@ -2345,6 +2372,14 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/delayed-stream": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", + "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==", + "engines": { + "node": ">=0.4.0" + } + }, "node_modules/depd": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz", @@ -3105,6 +3140,38 @@ "resolved": "https://registry.npmjs.org/fn.name/-/fn.name-1.1.0.tgz", "integrity": "sha512-GRnmB5gPyJpAhTQdSZTSp9uaPSvl09KoYcMQtsB9rQoOmzs9dH6ffeccH+Z+cv6P68Hu5bC6JjRh4Ah/mHSNRw==" }, + "node_modules/follow-redirects": { + "version": "1.15.6", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.6.tgz", + "integrity": "sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==", + "funding": [ + { + "type": "individual", + "url": "https://github.com/sponsors/RubenVerborgh" + } + ], + "engines": { + "node": ">=4.0" + }, + "peerDependenciesMeta": { + "debug": { + "optional": true + } + } + }, + "node_modules/form-data": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz", + "integrity": "sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww==", + "dependencies": { + "asynckit": "^0.4.0", + "combined-stream": "^1.0.8", + "mime-types": "^2.1.12" + }, + "engines": { + "node": ">= 6" + } + }, "node_modules/forwarded": { "version": "0.2.0", "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz", @@ -4833,6 +4900,11 @@ "node": ">= 0.10" } }, + "node_modules/proxy-from-env": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz", + "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==" + }, "node_modules/pstree.remy": { "version": "1.1.8", "resolved": "https://registry.npmjs.org/pstree.remy/-/pstree.remy-1.1.8.tgz", @@ -7568,6 +7640,21 @@ "resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz", "integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==" }, + "asynckit": { + "version": "0.4.0", + "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", + "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" + }, + "axios": { + "version": "1.6.8", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz", + "integrity": "sha512-v/ZHtJDU39mDpyBoFVkETcd/uNdxrWRrg3bKpOKzXFA6Bvqopts6ALSMU3y6ijYxbw2B+wPrIv46egTzJXCLGQ==", + "requires": { + "follow-redirects": "^1.15.6", + "form-data": "^4.0.0", + "proxy-from-env": "^1.1.0" + } + }, "balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", @@ -7819,6 +7906,14 @@ "text-hex": "1.0.x" } }, + "combined-stream": { + "version": "1.0.8", + "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", + "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", + "requires": { + "delayed-stream": "~1.0.0" + } + }, "concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", @@ -7904,6 +7999,11 @@ "object-keys": "^1.1.1" } }, + "delayed-stream": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", + "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==" + }, "depd": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz", @@ -8507,6 +8607,21 @@ "resolved": "https://registry.npmjs.org/fn.name/-/fn.name-1.1.0.tgz", "integrity": "sha512-GRnmB5gPyJpAhTQdSZTSp9uaPSvl09KoYcMQtsB9rQoOmzs9dH6ffeccH+Z+cv6P68Hu5bC6JjRh4Ah/mHSNRw==" }, + "follow-redirects": { + "version": "1.15.6", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.6.tgz", + "integrity": "sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==" + }, + "form-data": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz", + "integrity": "sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww==", + "requires": { + "asynckit": "^0.4.0", + "combined-stream": "^1.0.8", + "mime-types": "^2.1.12" + } + }, "forwarded": { "version": "0.2.0", "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz", @@ -9739,6 +9854,11 @@ "ipaddr.js": "1.9.1" } }, + "proxy-from-env": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz", + "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==" + }, "pstree.remy": { "version": "1.1.8", "resolved": "https://registry.npmjs.org/pstree.remy/-/pstree.remy-1.1.8.tgz", diff --git a/package.json b/package.json index 4a937ae..c3679fe 100644 --- a/package.json +++ b/package.json @@ -42,6 +42,7 @@ "dependencies": { "@sentry/node": "^7.27.0", "@sentry/tracing": "^7.27.0", + "axios": "^1.6.8", "dotenv": "^16.0.3", "express": "^4.18.2", "morgan": "^1.10.0", diff --git a/src/auth/sisuRoles.ts b/src/auth/sisuRoles.ts new file mode 100644 index 0000000..ea5de48 --- /dev/null +++ b/src/auth/sisuRoles.ts @@ -0,0 +1,48 @@ +import getImporterClient from '../util/importerClient' + +const importerClient = getImporterClient() + +const sisuRolesGivingFullAccess = [ + 'hy-ac-kosu1', + 'hy-ac-kosu2', + 'hy-ac-kosu3', + 'hy-ac-opne1', + 'hy-ac-opne2', + 'hy-ac-opne3', + 'hy-ac-sview', +] + +type UserCacheEntry = { + hasAccess: boolean + accessedAt: Date +} + +const userCache = new Map() + +export const hasFullSisuAccess = async (personId: string) => { + if (!importerClient) return false + + if (userCache.has(personId)) { + const { hasAccess, accessedAt } = userCache.get(personId) + + // Cache is valid for 24 hours + if (new Date().getTime() - accessedAt.getTime() < 24 * 60 * 60 * 1000) { + return hasAccess + } + } + + const { data } = await importerClient.get(`/jami/sisuroles/${personId}`) + + if (data && Array.isArray(data)) { + const hasFullAccessToSisu = data.some((role) => + sisuRolesGivingFullAccess.includes(role.accessroleId), + ) + userCache.set(personId, { + hasAccess: hasFullAccessToSisu, + accessedAt: new Date(), + }) + return hasFullAccessToSisu + } + + return false +} diff --git a/src/index.ts b/src/index.ts index f5067c6..ff8939b 100644 --- a/src/index.ts +++ b/src/index.ts @@ -14,6 +14,7 @@ import { iamToFaculty, } from './auth/IAMConfig' import getIAMRights from './auth/IAMRights' +import { hasFullSisuAccess } from './auth/sisuRoles' import { FACULTIES } from './organisation/faculties' import { connectToDatabase } from './db/connection' @@ -33,8 +34,8 @@ app.use(accessLogger) app.get('/ping', (_req, res) => res.send('pong')) -app.post('/', (req, res) => { - const { userId, iamGroups = [] } = req.body +app.post('/', async (req, res) => { + const { userId, iamGroups = [], getSisuAccess = false } = req.body const relevantIamGroups = iamGroups.filter((iam) => relevantIAMs.includes(iam), @@ -42,6 +43,10 @@ app.post('/', (req, res) => { const { access, specialGroup } = getIAMRights(relevantIamGroups) + if (getSisuAccess) { + specialGroup.fullSisuAccess = await hasFullSisuAccess(userId) + } + if (userId && iamGroups) User.upsert({ id: userId, iamGroups }) logger.info('IAM authentication', { userId, iamGroups, access }) diff --git a/src/util/config.ts b/src/util/config.ts index 1a06ca9..5b3e013 100644 --- a/src/util/config.ts +++ b/src/util/config.ts @@ -1,10 +1,13 @@ import dotenv from 'dotenv' dotenv.config() -const PORT = process.env.PORT +export const PORT = process.env.PORT -const inProduction = process.env.NODE_ENV === 'production' +export const inProduction = process.env.NODE_ENV === 'production' -const DATABASE_URL = process.env.DATABASE_URL +export const DATABASE_URL = process.env.DATABASE_URL -export { DATABASE_URL, PORT, inProduction } +export const importerUrl = + 'https://api-toska.apps.ocp-prod-0.k8s.it.helsinki.fi/importer' + +export const importerToken = process.env.IMPORTER_DB_API_TOKEN || '' diff --git a/src/util/importerClient.ts b/src/util/importerClient.ts new file mode 100644 index 0000000..9b292bc --- /dev/null +++ b/src/util/importerClient.ts @@ -0,0 +1,20 @@ +import axios from 'axios' +import { importerUrl, importerToken } from './config' +import logger from './logger' + +const importerClient = axios.create({ + headers: { + token: importerToken, + }, + baseURL: importerUrl, +}) + +const getImporterClient = () => { + if (!importerToken) { + logger.error("Importer token not set, can't return client!") + return null + } + return importerClient +} + +export default getImporterClient