Merge pull request #1230 from jembi/Rework-roles-and-permissions

Rework roles and permissions

Author: drizzentic

package-lock.json

@@ -1,22 +1,12 @@
 'use strict'
 
 import logger from 'winston'
-import * as authorisation from './authorisation'
+
 import {AppModelAPI} from '../model/apps'
+import { RoleModelAPI } from '../model/role'
 import {DEFAULT_IMPORT_MAP_PATHS} from '../constants'
+import * as utils from '../utils'
 
-/*
-  Checks admin permission for create, update and delete operations.
-  Throws error if user does not have admin access
-*/
-const checkUserPermission = (ctx, operation) => {
-  if (!authorisation.inGroup('admin', ctx.authenticated)) {
-    ctx.statusCode = 403
-    throw Error(
-      `User ${ctx.authenticated.email} is not an admin, API access to ${operation} an app denied.`
-    )
-  }
-}
 
 /*
   Returns app if it exists, if not it throws an error
@@ -53,7 +43,9 @@ const validateId = (ctx, id) => {
 
 export async function addApp(ctx) {
   try {
-    checkUserPermission(ctx, 'add')
+    const authorised = await utils.checkUserPermission(ctx, 'addApp', 'app-manage-all')
+
+    if (!authorised) return
 
     const app = new AppModelAPI(ctx.request.body)
 
@@ -76,7 +68,9 @@ export async function addApp(ctx) {
 
 export async function updateApp(ctx, appId) {
   try {
-    checkUserPermission(ctx, 'update')
+    const authorised = await utils.checkUserPermission(ctx, 'updateApp', 'app-manage-all')
+
+    if (!authorised) return
 
     validateId(ctx, appId)
 
@@ -115,6 +109,10 @@ export async function getApps(ctx) {
 
 export async function getApp(ctx, appId) {
   try {
+    const authorised = await utils.checkUserPermission(ctx, 'getApp', 'app-view-all', 'app-view-specified', appId)
+
+    if (!authorised) return
+
     validateId(ctx, appId)
 
     const app = await checkAppExists(ctx, appId)
@@ -130,7 +128,9 @@ export async function getApp(ctx, appId) {
 
 export async function deleteApp(ctx, appId) {
   try {
-    checkUserPermission(ctx, 'delete')
+    const authorised = await utils.checkUserPermission(ctx, 'deleteApp', 'app-manage-all')
+
+    if (!authorised) return
 
     validateId(ctx, appId)
 

performance/mediator/package-lock.json

@@ -5,7 +5,6 @@ import logger from 'winston'
 import os from 'os'
 
 import * as auditing from '../auditing'
-import * as authorisation from './authorisation'
 import * as utils from '../utils'
 import {AuditMetaModel, AuditModel} from '../model/audits'
 import {config} from '../config'
@@ -61,20 +60,13 @@ function auditLogUsed(auditId, outcome, user) {
  * Adds a Audit
  */
 export async function addAudit(ctx) {
-  // Test if the user is authorised
-  if (!authorisation.inGroup('admin', ctx.authenticated)) {
-    utils.logAndSetResponse(
-      ctx,
-      403,
-      `User ${ctx.authenticated.email} is not an admin, API access to addAudit denied.`,
-      'info'
-    )
-    return
-  }
+  try {
+    const authorised = await utils.checkUserPermission(ctx, 'addAudit', 'audit-trail-manage')
 
-  const auditData = ctx.request.body
+    if (!authorised) return
+
+    const auditData = ctx.request.body
 
-  try {
     const audit = new AuditModel(auditData)
     await audit.save()
     await processAuditMeta(audit)
@@ -99,18 +91,11 @@ function checkPatientID(patientID) {
  * Retrieves the list of Audits
  */
 export async function getAudits(ctx) {
-  // Must be admin
-  if (!authorisation.inGroup('admin', ctx.authenticated)) {
-    utils.logAndSetResponse(
-      ctx,
-      403,
-      `User ${ctx.authenticated.email} is not an admin, API access to getAudits denied.`,
-      'info'
-    )
-    return
-  }
-
   try {
+    const authorised = await utils.checkUserPermission(ctx, 'getAudits', 'audit-trail-view')
+
+    if (!authorised) return
+
     let filters
     const filtersObject = ctx.request.query
 
@@ -237,21 +222,14 @@ export async function getAudits(ctx) {
  * Retrieves the details for a specific Audit Record
  */
 export async function getAuditById(ctx, auditId) {
-  // Must be admin
-  if (!authorisation.inGroup('admin', ctx.authenticated)) {
-    utils.logAndSetResponse(
-      ctx,
-      403,
-      `User ${ctx.authenticated.email} is not an admin, API access to getAuditById denied.`,
-      'info'
-    )
-    return
-  }
+  try {
+    const authorised = await utils.checkUserPermission(ctx, 'getAuditById', 'audit-trail-view')
 
-  // Get the values to use
-  auditId = unescape(auditId)
+    if (!authorised) return
+
+    // Get the values to use
+    auditId = unescape(auditId)
 
-  try {
     // get projection object
     const projectionFiltersObject = getProjectionObject('full')
 
@@ -296,18 +274,11 @@ export async function getAuditById(ctx, auditId) {
  * construct audit filtering dropdown options
  */
 export async function getAuditsFilterOptions(ctx) {
-  // Must be admin
-  if (!authorisation.inGroup('admin', ctx.authenticated)) {
-    utils.logAndSetResponse(
-      ctx,
-      403,
-      `User ${ctx.authenticated.email} is not an admin, API access to getAudits denied.`,
-      'info'
-    )
-    return
-  }
-
   try {
+    const authorised = await utils.checkUserPermission(ctx, 'getAuditsFilterOptions', 'audit-trail-view')
+
+    if (!authorised) return
+
     ctx.body = await AuditMetaModel.findOne({}).exec()
   } catch (e) {
     utils.logAndSetResponse(

src/api/apps.js

@@ -7,7 +7,7 @@ import os from 'os'
 import * as auditing from '../auditing'
 import * as authorisation from './authorisation'
 import passport from '../passport'
-import {logAndSetResponse} from '../utils'
+import {logAndSetResponse, checkUserPermission} from '../utils'
 import {config} from '../config'
 import {
   BASIC_AUTH_TYPE,
@@ -201,15 +201,9 @@ export async function authenticate(ctx, next) {
 }
 
 export async function getEnabledAuthenticationTypes(ctx, next) {
-  if (!authorisation.inGroup('admin', ctx.authenticated)) {
-    logAndSetResponse(
-      ctx,
-      403,
-      `User ${ctx.authenticated.email} is not an admin, API access to get enabled authentication types denied.`,
-      'info'
-    )
-    return next()
-  }
+  const authorised = await checkUserPermission(ctx, 'getAuthType', 'client-manage-all')
+
+  if (!authorised) return
 
   if (!config.authentication || !Object.keys(config.authentication).length) {
     logAndSetResponse(

src/api/audits.js

@@ -1,35 +1,36 @@
 'use strict'
 
 import {ChannelModelAPI} from '../model/channels'
+import { RoleModelAPI } from '../model/role'
 
 export function inGroup(group, user) {
   return user.groups.indexOf(group) >= 0
 }
 
+const getUserChannelsByPermissions = (user, allPermission, specifiedPermission) =>
+  RoleModelAPI.find({name: {$in: user.groups}}).then(roles => {
+    if (roles.find(role => role.permissions[allPermission] || role.permissions[allPermission.replace('view', 'manage')])) {
+      return ChannelModelAPI.find({}).exec()
+    }
+    const specifiedChannels = roles.reduce((prev, curr) =>
+      prev.concat(curr.permissions[specifiedPermission], curr.permissions[specifiedPermission.replace('view', 'manage')]),
+      []
+    )
+    return ChannelModelAPI.find({_id: {$in: specifiedChannels}}).exec()
+  })
+
 /**
  * A promise returning function that returns the list
  * of viewable channels for a user.
  */
-export function getUserViewableChannels(user, access = 'txViewAcl') {
-  // if admin find all channels
-  if (inGroup('admin', user)) {
-    return ChannelModelAPI.find({}).exec()
-  } else {
-    // otherwise only channels that this user has access to
-    return ChannelModelAPI.find({[access]: {$in: user.groups}}).exec()
-  }
+export function getUserViewableChannels(user) {
+  return getUserChannelsByPermissions(user, 'channel-view-all', 'channel-view-specified')
 }
 
 /**
  * A promise returning function that returns the list
  * of rerunnable channels for a user.
  */
 export function getUserRerunableChannels(user) {
-  // if admin allow all channel
-  if (inGroup('admin', user)) {
-    return ChannelModelAPI.find({}).exec()
-  } else {
-    // otherwise figure out what this user can rerun
-    return ChannelModelAPI.find({txRerunAcl: {$in: user.groups}}).exec()
-  }
+  return getUserChannelsByPermissions(user, 'transaction-rerun-all', 'transaction-rerun-specified')
 }

src/api/authentication.js

@@ -3,7 +3,6 @@
 import logger from 'winston'
 import pem from 'pem'
 
-import * as authorisation from './authorisation'
 import * as utils from '../utils'
 import {KeystoreModelAPI} from '../model/keystore'
 import {promisify} from 'util'
@@ -12,17 +11,12 @@ const readCertificateInfo = promisify(pem.readCertificateInfo)
 const getFingerprint = promisify(pem.getFingerprint)
 
 export async function generateCert(ctx) {
-  // Must be admin
+  const authorised = await utils.checkUserPermission(ctx, 'generateCert', 'certificates-manage')
+
+  if (!authorised) return
+
   let result
-  if (authorisation.inGroup('admin', ctx.authenticated) === false) {
-    utils.logAndSetResponse(
-      ctx,
-      403,
-      `User ${ctx.authenticated.email} is not an admin, API access to getServerKey by id denied.`,
-      'info'
-    )
-    return
-  }
+
   const {
     request: {body: options}
   } = ctx