api: refine NotAuthorized error + return correct http status code

openkfw · Apr 1, 2019 · 9399e25 · 9399e25
1 parent 9005f99
commit 9399e25
Show file tree

Hide file tree

Showing 38 changed files with 167 additions and 127 deletions.
diff --git a/api/src/http_errors.ts b/api/src/http_errors.ts
@@ -1,5 +1,6 @@
+import { VError } from "verror";
+
 import logger from "./lib/logger";
-import { NotAuthorized } from "./service/domain/errors/not_authorized";
 import { NotFound } from "./service/domain/errors/not_found";
 import { PreconditionError } from "./service/domain/errors/precondition_error";
 
@@ -26,7 +27,7 @@ function convertError(error: any): { code: number; message: string } {
   if (error instanceof PreconditionError) {
     logger.debug({ error }, error.message);
     return { code: 400, message: error.message };
-  } else if (error instanceof NotAuthorized) {
+  } else if (VError.hasCauseWithName(error, "NotAuthorized")) {
     logger.debug({ error }, error.message);
     return { code: 403, message: error.message };
   } else if (error instanceof NotFound) {

diff --git a/api/src/project_view_details.ts b/api/src/project_view_details.ts
@@ -1,4 +1,5 @@
 import { FastifyInstance } from "fastify";
+import { VError } from "verror";
 
 import { getAllowedIntents } from "./authz";
 import Intent from "./authz/intents";
@@ -202,8 +203,7 @@ export function addHttpHandler(server: FastifyInstance, urlPrefix: string, servi
       try {
         const projectResult = await service.getProject(ctx, user, projectId);
         if (Result.isErr(projectResult)) {
-          projectResult.message = `project.viewDetails failed: ${projectResult.message}`;
-          throw projectResult;
+          throw new VError(projectResult, "project.viewDetails failed");
         }
         const project: Project.Project = projectResult;
 

diff --git a/api/src/service/domain/errors/not_authorized.ts b/api/src/service/domain/errors/not_authorized.ts
@@ -1,23 +1,33 @@
+import { isArray } from "util";
+
 import Intent from "../../../authz/intents";
 import { Ctx } from "../../../lib/ctx";
-import { BusinessEvent } from "../business_event";
 
 export class NotAuthorized extends Error {
+  private readonly target?: object;
+
   constructor(
     private readonly ctx: Ctx,
     private readonly userId: string,
-    private readonly businessEvent?: BusinessEvent,
-    private readonly intent?: Intent,
+    private readonly intent: Intent | Intent[],
+    target?: object,
   ) {
     super(
-      `User ${userId} is not authorized${
-        businessEvent ? ` to apply ${businessEvent.type}` : ` to invoke ${intent}`
-      }.`,
+      `user ${userId} is not authorized for ${
+        isArray(intent) ? `any of ${intent.join(", ")}` : intent
+      }`,
     );
+    this.name = "NotAuthorized";
 
     // Maintains proper stack trace for where our error was thrown (only available on V8):
     if (Error.captureStackTrace) {
       Error.captureStackTrace(this, NotAuthorized);
     }
+
+    // Removing trace events as they're not needed and spam the log output when printed:
+    if (target !== undefined && (target as any).log !== undefined) {
+      delete (target as any).log;
+    }
+    this.target = target;
   }
 }
diff --git a/api/src/service/domain/organization/group_create.ts b/api/src/service/domain/organization/group_create.ts
@@ -71,12 +71,13 @@ export async function createGroup(
 
   // Check authorization (if not root):
   if (creatingUser.id !== "root") {
+    const intent = "global.createGroup";
     const permissions = await repository.getGlobalPermissions();
-    const isAuthorized = identitiesAuthorizedFor(permissions, "global.createGroup").some(identity =>
+    const isAuthorized = identitiesAuthorizedFor(permissions, intent).some(identity =>
       canAssumeIdentity(creatingUser, identity),
     );
     if (!isAuthorized) {
-      return { newEvents: [], errors: [new NotAuthorized(ctx, creatingUser.id, createEvent)] };
+      return { newEvents: [], errors: [new NotAuthorized(ctx, creatingUser.id, intent)] };
     }
   }
 

diff --git a/api/src/service/domain/organization/group_member_add.ts b/api/src/service/domain/organization/group_member_add.ts
@@ -32,10 +32,11 @@ export async function addMember(
 
   // Check authorization (if not root):
   if (issuer.id !== "root") {
-    if (!Group.permits(group, issuer, ["group.addUser"])) {
+    const intent = "group.addUser";
+    if (!Group.permits(group, issuer, [intent])) {
       return {
         newEvents: [],
-        errors: [new NotAuthorized(ctx, issuer.id, memberAdded)],
+        errors: [new NotAuthorized(ctx, issuer.id, intent, group)],
       };
     }
   }

diff --git a/api/src/service/domain/organization/group_member_remove.ts b/api/src/service/domain/organization/group_member_remove.ts
@@ -32,10 +32,11 @@ export async function removeMember(
 
   // Check authorization (if not root):
   if (issuer.id !== "root") {
-    if (!Group.permits(group, issuer, ["group.removeUser"])) {
+    const intent = "group.removeUser";
+    if (!Group.permits(group, issuer, [intent])) {
       return {
         newEvents: [],
-        errors: [new NotAuthorized(ctx, issuer.id, memberRemoved)],
+        errors: [new NotAuthorized(ctx, issuer.id, intent, group)],
       };
     }
   }

diff --git a/api/src/service/domain/organization/user_create.ts b/api/src/service/domain/organization/user_create.ts
@@ -77,15 +77,15 @@ export async function createUser(
 
   // Check authorization (if not root):
   if (creatingUser.id !== "root") {
+    const intent = "global.createUser";
     const permissions = await repository.getGlobalPermissions();
-    const isAuthorized = identitiesAuthorizedFor(permissions, "global.createUser").some(identity =>
+    const isAuthorized = identitiesAuthorizedFor(permissions, intent).some(identity =>
       canAssumeIdentity(creatingUser, identity),
     );
     if (!isAuthorized) {
-      const unfinishedBusinessEvent = UserCreated.createEvent(source, publisher, eventTemplate);
       return {
         newEvents: [],
-        errors: [new NotAuthorized(ctx, creatingUser.id, unfinishedBusinessEvent)],
+        errors: [new NotAuthorized(ctx, creatingUser.id, intent)],
       };
     }
   }

diff --git a/api/src/service/domain/workflow/global_permission_grant.ts b/api/src/service/domain/workflow/global_permission_grant.ts
@@ -30,11 +30,12 @@ export async function grantGlobalPermission(
 
   // Check authorization (if not root):
   if (issuer.id !== "root") {
+    const grantIntent = "global.grantPermission";
     const currentGlobalPermissions = await repository.getGlobalPermissions();
-    if (!GlobalPermissions.permits(currentGlobalPermissions, issuer, ["global.grantPermission"])) {
+    if (!GlobalPermissions.permits(currentGlobalPermissions, issuer, [grantIntent])) {
       return {
         newEvents: [],
-        errors: [new NotAuthorized(ctx, issuer.id, globalPermissionGranted)],
+        errors: [new NotAuthorized(ctx, issuer.id, grantIntent, currentGlobalPermissions)],
       };
     }
   }

diff --git a/api/src/service/domain/workflow/global_permission_revoke.ts b/api/src/service/domain/workflow/global_permission_revoke.ts
@@ -30,11 +30,12 @@ export async function revokeGlobalPermission(
 
   // Check authorization (if not root):
   if (issuer.id !== "root") {
+    const revokeIntent = "global.revokePermission";
     const currentGlobalPermissions = await repository.getGlobalPermissions();
-    if (!GlobalPermissions.permits(currentGlobalPermissions, issuer, ["global.revokePermission"])) {
+    if (!GlobalPermissions.permits(currentGlobalPermissions, issuer, [revokeIntent])) {
       return {
         newEvents: [],
-        errors: [new NotAuthorized(ctx, issuer.id, globalPermissionRevoked)],
+        errors: [new NotAuthorized(ctx, issuer.id, revokeIntent, currentGlobalPermissions)],
       };
     }
   }

diff --git a/api/src/service/domain/workflow/project_assign.ts b/api/src/service/domain/workflow/project_assign.ts
@@ -42,8 +42,9 @@ export async function assignProject(
   }
 
   // Check authorization (if not root):
-  if (issuer.id !== "root" && !Project.permits(project, issuer, ["project.assign"])) {
-    return new NotAuthorized(ctx, issuer.id, projectAssigned);
+  const intent = "project.assign";
+  if (issuer.id !== "root" && !Project.permits(project, issuer, [intent])) {
+    return new NotAuthorized(ctx, issuer.id, intent, project);
   }
 
   // Check that the new event is indeed valid:

diff --git a/api/src/service/domain/workflow/project_close.ts b/api/src/service/domain/workflow/project_close.ts
@@ -58,8 +58,9 @@ export async function closeProject(
   }
 
   // Check authorization (if not root):
-  if (issuer.id !== "root" && !Project.permits(project, issuer, ["project.close"])) {
-    return new NotAuthorized(ctx, issuer.id, projectClosed);
+  const intent = "project.close";
+  if (issuer.id !== "root" && !Project.permits(project, issuer, [intent])) {
+    return new NotAuthorized(ctx, issuer.id, intent, project);
   }
 
   // Check that the new event is indeed valid:

diff --git a/api/src/service/domain/workflow/project_create.ts b/api/src/service/domain/workflow/project_create.ts
@@ -96,9 +96,13 @@ export async function createProject(
 
   // Check authorization (if not root):
   if (creatingUser.id !== "root") {
+    const intent = "global.createProject";
     const permissions = await repository.getGlobalPermissions();
-    if (!GlobalPermissions.permits(permissions, creatingUser, ["global.createProject"])) {
-      return { newEvents: [], errors: [new NotAuthorized(ctx, creatingUser.id, createEvent)] };
+    if (!GlobalPermissions.permits(permissions, creatingUser, [intent])) {
+      return {
+        newEvents: [],
+        errors: [new NotAuthorized(ctx, creatingUser.id, intent, permissions)],
+      };
     }
   }
 

diff --git a/api/src/service/domain/workflow/project_get.ts b/api/src/service/domain/workflow/project_get.ts
@@ -1,4 +1,3 @@
-import { VError } from "verror";
 import Intent from "../../../authz/intents";
 import { Ctx } from "../../../lib/ctx";
 import * as Result from "../../../result";
@@ -25,11 +24,9 @@ export async function getProject(
     return new NotFound(ctx, "project", projectId);
   }
 
-  if (
-    user.id !== "root" &&
-    !Project.permits(project, user, ["project.viewSummary", "project.viewDetails"])
-  ) {
-    return new NotAuthorized(ctx, user.id, undefined, "project.viewSummary");
+  const intents: Intent[] = ["project.viewSummary", "project.viewDetails"];
+  if (user.id !== "root" && !Project.permits(project, user, intents)) {
+    return new NotAuthorized(ctx, user.id, intents, project);
   }
 
   return dropHiddenHistoryEvents(project, user);

diff --git a/api/src/service/domain/workflow/project_permission_grant.ts b/api/src/service/domain/workflow/project_permission_grant.ts
@@ -42,8 +42,9 @@ export async function grantProjectPermission(
 
   // Check authorization (if not root):
   if (issuer.id !== "root") {
-    if (!Project.permits(project, issuer, ["project.intent.grantPermission"])) {
-      return new NotAuthorized(ctx, issuer.id, permissionGranted);
+    const grantIntent = "project.intent.grantPermission";
+    if (!Project.permits(project, issuer, [grantIntent])) {
+      return new NotAuthorized(ctx, issuer.id, grantIntent, project);
     }
   }
 

diff --git a/api/src/service/domain/workflow/project_permission_revoke.ts b/api/src/service/domain/workflow/project_permission_revoke.ts
@@ -42,8 +42,9 @@ export async function revokeProjectPermission(
 
   // Check authorization (if not root):
   if (issuer.id !== "root") {
-    if (!Project.permits(project, issuer, ["project.intent.revokePermission"])) {
-      return new NotAuthorized(ctx, issuer.id, permissionRevoked);
+    const revokeIntent = "project.intent.revokePermission";
+    if (!Project.permits(project, issuer, [revokeIntent])) {
+      return new NotAuthorized(ctx, issuer.id, revokeIntent, project);
     }
   }
 

diff --git a/api/src/service/domain/workflow/project_projected_budget_delete.ts b/api/src/service/domain/workflow/project_projected_budget_delete.ts
@@ -40,8 +40,9 @@ export async function deleteProjectedBudget(
 
   // Check authorization (if not root):
   if (issuer.id !== "root") {
-    if (!Project.permits(project, issuer, ["project.budget.deleteProjected"])) {
-      return new NotAuthorized(ctx, issuer.id, budgetDeleted);
+    const intent = "project.budget.deleteProjected";
+    if (!Project.permits(project, issuer, [intent])) {
+      return new NotAuthorized(ctx, issuer.id, intent, project);
     }
   }
 

diff --git a/api/src/service/domain/workflow/project_projected_budget_update.ts b/api/src/service/domain/workflow/project_projected_budget_update.ts
@@ -43,8 +43,9 @@ export async function updateProjectedBudget(
 
   // Check authorization (if not root):
   if (issuer.id !== "root") {
-    if (!Project.permits(project, issuer, ["project.budget.updateProjected"])) {
-      return new NotAuthorized(ctx, issuer.id, budgetUpdated);
+    const intent = "project.budget.updateProjected";
+    if (!Project.permits(project, issuer, [intent])) {
+      return new NotAuthorized(ctx, issuer.id, intent, project);
     }
   }
 

diff --git a/api/src/service/domain/workflow/project_update.ts b/api/src/service/domain/workflow/project_update.ts
@@ -45,8 +45,9 @@ export async function updateProject(
 
   // Check authorization (if not root):
   if (issuer.id !== "root") {
-    if (!Project.permits(project, issuer, ["project.update"])) {
-      return new NotAuthorized(ctx, issuer.id, projectUpdated);
+    const intent = "project.update";
+    if (!Project.permits(project, issuer, [intent])) {
+      return new NotAuthorized(ctx, issuer.id, intent, project);
     }
   }
 

diff --git a/api/src/service/domain/workflow/subproject_assign.ts b/api/src/service/domain/workflow/subproject_assign.ts
@@ -51,8 +51,9 @@ export async function assignSubproject(
 
   // Check authorization (if not root):
   if (issuer.id !== "root") {
-    if (!Subproject.permits(subproject, issuer, ["subproject.assign"])) {
-      return new NotAuthorized(ctx, issuer.id, subprojectAssigned);
+    const intent = "subproject.assign";
+    if (!Subproject.permits(subproject, issuer, [intent])) {
+      return new NotAuthorized(ctx, issuer.id, intent, subproject);
     }
   }
 

diff --git a/api/src/service/domain/workflow/subproject_close.ts b/api/src/service/domain/workflow/subproject_close.ts
@@ -74,8 +74,11 @@ export async function closeSubproject(
   }
 
   // Check authorization (if not root):
-  if (issuer.id !== "root" && !Subproject.permits(subproject, issuer, ["subproject.close"])) {
-    return new NotAuthorized(ctx, issuer.id, subprojectClosed);
+  if (issuer.id !== "root") {
+    const intent = "subproject.close";
+    if (!Subproject.permits(subproject, issuer, [intent])) {
+      return new NotAuthorized(ctx, issuer.id, intent, subproject);
+    }
   }
 
   // Check that the new event is indeed valid:

diff --git a/api/src/service/domain/workflow/subproject_create.ts b/api/src/service/domain/workflow/subproject_create.ts
@@ -111,11 +111,11 @@ export async function createSubproject(
     return new NotFound(ctx, "project", projectId);
   }
 
-  if (
-    creatingUser.id !== "root" &&
-    !AuthToken.permits(projectPermissions, creatingUser, ["project.createSubproject"])
-  ) {
-    return new NotAuthorized(ctx, creatingUser.id, subprojectCreated);
+  if (creatingUser.id !== "root") {
+    const intent = "project.createSubproject";
+    if (!AuthToken.permits(projectPermissions, creatingUser, [intent])) {
+      return new NotAuthorized(ctx, creatingUser.id, intent, { projectId, projectPermissions });
+    }
   }
 
   // Check that the event is valid by trying to "apply" it:

diff --git a/api/src/service/domain/workflow/subproject_get.ts b/api/src/service/domain/workflow/subproject_get.ts
@@ -25,11 +25,11 @@ export async function getSubproject(
   }
   const subproject = subprojectResult;
 
-  if (
-    user.id !== "root" &&
-    !Subproject.permits(subproject, user, ["subproject.viewSummary", "subproject.viewDetails"])
-  ) {
-    return new NotAuthorized(ctx, user.id, undefined, "subproject.viewDetails");
+  if (user.id !== "root") {
+    const intents: Intent[] = ["subproject.viewSummary", "subproject.viewDetails"];
+    if (!Subproject.permits(subproject, user, intents)) {
+      return new NotAuthorized(ctx, user.id, intents, subproject);
+    }
   }
 
   return dropHiddenHistoryEvents(subproject, user);

diff --git a/api/src/service/domain/workflow/subproject_permission_grant.ts b/api/src/service/domain/workflow/subproject_permission_grant.ts
@@ -48,8 +48,9 @@ export async function grantSubprojectPermission(
 
   // Check authorization (if not root):
   if (issuer.id !== "root") {
-    if (!Subproject.permits(subproject, issuer, ["subproject.intent.grantPermission"])) {
-      return new NotAuthorized(ctx, issuer.id, permissionGranted);
+    const grantIntent = "subproject.intent.grantPermission";
+    if (!Subproject.permits(subproject, issuer, [grantIntent])) {
+      return new NotAuthorized(ctx, issuer.id, grantIntent, subproject);
     }
   }
 

diff --git a/api/src/service/domain/workflow/subproject_permission_revoke.ts b/api/src/service/domain/workflow/subproject_permission_revoke.ts
@@ -48,8 +48,9 @@ export async function revokeSubprojectPermission(
 
   // Check authorization (if not root):
   if (issuer.id !== "root") {
-    if (!Subproject.permits(subproject, issuer, ["subproject.intent.revokePermission"])) {
-      return new NotAuthorized(ctx, issuer.id, permissionRevoked);
+    const revokeIntent = "subproject.intent.revokePermission";
+    if (!Subproject.permits(subproject, issuer, [revokeIntent])) {
+      return new NotAuthorized(ctx, issuer.id, revokeIntent, subproject);
     }
   }
 

diff --git a/api/src/service/domain/workflow/subproject_permissions_list.ts b/api/src/service/domain/workflow/subproject_permissions_list.ts
@@ -30,8 +30,9 @@ export async function getSubprojectPermissions(
   const subproject: Subproject.Subproject = subprojectResult;
 
   if (user.id !== "root") {
-    if (!Subproject.permits(subproject, user, ["subproject.intent.listPermissions"])) {
-      return new NotAuthorized(ctx, user.id, undefined, "subproject.intent.listPermissions");
+    const intent = "subproject.intent.listPermissions";
+    if (!Subproject.permits(subproject, user, [intent])) {
+      return new NotAuthorized(ctx, user.id, intent, subproject);
     }
   }
   return subproject.permissions;

diff --git a/api/src/service/domain/workflow/subproject_projected_budget_delete.ts b/api/src/service/domain/workflow/subproject_projected_budget_delete.ts
@@ -43,11 +43,11 @@ export async function deleteProjectedBudget(
   );
 
   // Check authorization (if not root):
-  if (
-    issuer.id !== "root" &&
-    !Subproject.permits(subproject, issuer, ["subproject.budget.deleteProjected"])
-  ) {
-    return new NotAuthorized(ctx, issuer.id, budgetDeleted);
+  if (issuer.id !== "root") {
+    const intent = "subproject.budget.deleteProjected";
+    if (!Subproject.permits(subproject, issuer, [intent])) {
+      return new NotAuthorized(ctx, issuer.id, intent, subproject);
+    }
   }
 
   // Check that the new event is indeed valid: