2020-12-02 18:08:25 +01:00
|
|
|
const {
|
|
|
|
|
BUILTIN_ROLE_IDS,
|
2021-02-08 18:52:22 +01:00
|
|
|
getUserPermissions,
|
2020-12-02 18:08:25 +01:00
|
|
|
} = require("../utilities/security/roles")
|
2020-11-12 18:06:55 +01:00
|
|
|
const {
|
|
|
|
|
PermissionTypes,
|
2021-02-08 18:52:22 +01:00
|
|
|
doesHaveResourcePermission,
|
|
|
|
|
doesHaveBasePermission,
|
2020-11-12 18:06:55 +01:00
|
|
|
} = require("../utilities/security/permissions")
|
2020-10-28 21:35:06 +01:00
|
|
|
const env = require("../environment")
|
2020-12-09 18:10:53 +01:00
|
|
|
const { isAPIKeyValid } = require("../utilities/security/apikey")
|
2020-10-13 22:33:56 +02:00
|
|
|
const { AuthTypes } = require("../constants")
|
2020-05-27 18:23:01 +02:00
|
|
|
|
2020-12-02 14:20:56 +01:00
|
|
|
const ADMIN_ROLES = [BUILTIN_ROLE_IDS.ADMIN, BUILTIN_ROLE_IDS.BUILDER]
|
2020-11-11 18:34:15 +01:00
|
|
|
|
2020-10-22 18:48:32 +02:00
|
|
|
const LOCAL_PASS = new RegExp(["webhooks/trigger", "webhooks/schema"].join("|"))
|
|
|
|
|
|
2021-02-08 18:52:22 +01:00
|
|
|
function hasResource(ctx) {
|
|
|
|
|
return ctx.resourceId != null
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-11 18:34:15 +01:00
|
|
|
module.exports = (permType, permLevel = null) => async (ctx, next) => {
|
2020-10-22 18:48:32 +02:00
|
|
|
// webhooks can pass locally
|
2020-10-28 21:35:06 +01:00
|
|
|
if (!env.CLOUD && LOCAL_PASS.test(ctx.request.url)) {
|
2020-10-22 18:48:32 +02:00
|
|
|
return next()
|
|
|
|
|
}
|
2020-10-28 21:35:06 +01:00
|
|
|
if (env.CLOUD && ctx.headers["x-api-key"] && ctx.headers["x-instanceid"]) {
|
2020-10-12 12:57:37 +02:00
|
|
|
// api key header passed by external webhook
|
2020-12-09 18:10:53 +01:00
|
|
|
if (await isAPIKeyValid(ctx.headers["x-api-key"])) {
|
2020-10-12 14:32:52 +02:00
|
|
|
ctx.auth = {
|
2020-10-13 22:33:56 +02:00
|
|
|
authenticated: AuthTypes.EXTERNAL,
|
2020-10-12 14:32:52 +02:00
|
|
|
apiKey: ctx.headers["x-api-key"],
|
|
|
|
|
}
|
2020-10-12 12:57:37 +02:00
|
|
|
ctx.user = {
|
2020-10-29 11:28:27 +01:00
|
|
|
appId: ctx.headers["x-instanceid"],
|
2020-10-12 12:57:37 +02:00
|
|
|
}
|
|
|
|
|
return next()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ctx.throw(403, "API key invalid")
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-14 17:47:53 +02:00
|
|
|
// don't expose builder endpoints in the cloud
|
2020-11-11 18:34:15 +01:00
|
|
|
if (env.CLOUD && permType === PermissionTypes.BUILDER) return
|
2020-10-14 17:47:53 +02:00
|
|
|
|
2020-10-12 14:32:52 +02:00
|
|
|
if (!ctx.auth.authenticated) {
|
2020-05-27 18:23:01 +02:00
|
|
|
ctx.throw(403, "Session not authenticated")
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-18 17:59:31 +02:00
|
|
|
if (!ctx.user) {
|
|
|
|
|
ctx.throw(403, "User not found")
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-02 14:20:56 +01:00
|
|
|
const role = ctx.user.role
|
2021-02-08 18:52:22 +01:00
|
|
|
const { basePermissions, permissions } = await getUserPermissions(
|
|
|
|
|
ctx.appId,
|
|
|
|
|
role._id
|
|
|
|
|
)
|
2020-12-02 14:20:56 +01:00
|
|
|
if (ADMIN_ROLES.indexOf(role._id) !== -1) {
|
2020-10-08 18:34:41 +02:00
|
|
|
return next()
|
2020-05-27 18:23:01 +02:00
|
|
|
}
|
|
|
|
|
|
2020-11-11 18:34:15 +01:00
|
|
|
if (permType === PermissionTypes.BUILDER) {
|
2020-05-27 18:23:01 +02:00
|
|
|
ctx.throw(403, "Not Authorized")
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-09 17:01:02 +01:00
|
|
|
if (
|
|
|
|
|
hasResource(ctx) &&
|
|
|
|
|
doesHaveResourcePermission(permissions, permLevel, ctx)
|
|
|
|
|
) {
|
|
|
|
|
return next()
|
|
|
|
|
}
|
2021-02-08 18:52:22 +01:00
|
|
|
|
|
|
|
|
if (!doesHaveBasePermission(permType, permLevel, basePermissions)) {
|
2020-11-12 18:06:55 +01:00
|
|
|
ctx.throw(403, "User does not have permission")
|
|
|
|
|
}
|
2020-05-27 18:23:01 +02:00
|
|
|
|
2020-11-12 18:06:55 +01:00
|
|
|
return next()
|
2020-05-27 18:23:01 +02:00
|
|
|
}
|
