Merge pull request #2920 from Budibase/fix/tenant-public
Fixing multi-tenancy public app access
This commit is contained in:
commit
08cc23d994
|
@ -1,5 +1,20 @@
|
|||
exports.SEPARATOR = "_"
|
||||
|
||||
const PRE_APP = "app"
|
||||
const PRE_DEV = "dev"
|
||||
|
||||
exports.DocumentTypes = {
|
||||
USER: "us",
|
||||
WORKSPACE: "workspace",
|
||||
CONFIG: "config",
|
||||
TEMPLATE: "template",
|
||||
APP: PRE_APP,
|
||||
DEV: PRE_DEV,
|
||||
APP_DEV: `${PRE_APP}${exports.SEPARATOR}${PRE_DEV}`,
|
||||
APP_METADATA: `${PRE_APP}${exports.SEPARATOR}metadata`,
|
||||
ROLE: "role",
|
||||
}
|
||||
|
||||
exports.StaticDatabases = {
|
||||
GLOBAL: {
|
||||
name: "global-db",
|
||||
|
|
|
@ -2,8 +2,8 @@ const { newid } = require("../hashing")
|
|||
const Replication = require("./Replication")
|
||||
const { DEFAULT_TENANT_ID } = require("../constants")
|
||||
const env = require("../environment")
|
||||
const { StaticDatabases, SEPARATOR } = require("./constants")
|
||||
const { getTenantId } = require("../tenancy")
|
||||
const { StaticDatabases, SEPARATOR, DocumentTypes } = require("./constants")
|
||||
const { getTenantId, getTenantIDFromAppID } = require("../tenancy")
|
||||
const fetch = require("node-fetch")
|
||||
const { getCouch } = require("./index")
|
||||
|
||||
|
@ -15,25 +15,11 @@ exports.ViewNames = {
|
|||
|
||||
exports.StaticDatabases = StaticDatabases
|
||||
|
||||
const PRE_APP = "app"
|
||||
const PRE_DEV = "dev"
|
||||
|
||||
const DocumentTypes = {
|
||||
USER: "us",
|
||||
WORKSPACE: "workspace",
|
||||
CONFIG: "config",
|
||||
TEMPLATE: "template",
|
||||
APP: PRE_APP,
|
||||
DEV: PRE_DEV,
|
||||
APP_DEV: `${PRE_APP}${SEPARATOR}${PRE_DEV}`,
|
||||
APP_METADATA: `${PRE_APP}${SEPARATOR}metadata`,
|
||||
ROLE: "role",
|
||||
}
|
||||
|
||||
exports.DocumentTypes = DocumentTypes
|
||||
exports.APP_PREFIX = DocumentTypes.APP + SEPARATOR
|
||||
exports.APP_DEV = exports.APP_DEV_PREFIX = DocumentTypes.APP_DEV + SEPARATOR
|
||||
exports.SEPARATOR = SEPARATOR
|
||||
exports.getTenantIDFromAppID = getTenantIDFromAppID
|
||||
|
||||
/**
|
||||
* If creating DB allDocs/query params with only a single top level ID this can be used, this
|
||||
|
@ -70,26 +56,6 @@ function isDevApp(app) {
|
|||
return exports.isDevAppID(app.appId)
|
||||
}
|
||||
|
||||
/**
|
||||
* Given an app ID this will attempt to retrieve the tenant ID from it.
|
||||
* @return {null|string} The tenant ID found within the app ID.
|
||||
*/
|
||||
exports.getTenantIDFromAppID = appId => {
|
||||
if (!appId) {
|
||||
return null
|
||||
}
|
||||
const split = appId.split(SEPARATOR)
|
||||
const hasDev = split[1] === DocumentTypes.DEV
|
||||
if ((hasDev && split.length === 3) || (!hasDev && split.length === 2)) {
|
||||
return null
|
||||
}
|
||||
if (hasDev) {
|
||||
return split[2]
|
||||
} else {
|
||||
return split[1]
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Generates a new workspace ID.
|
||||
* @returns {string} The new workspace ID which the workspace doc can be stored under.
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
const { getDB } = require("../db")
|
||||
const { SEPARATOR, StaticDatabases } = require("../db/constants")
|
||||
const { SEPARATOR, StaticDatabases, DocumentTypes } = require("../db/constants")
|
||||
const { getTenantId, DEFAULT_TENANT_ID, isMultiTenant } = require("./context")
|
||||
const env = require("../environment")
|
||||
|
||||
|
@ -117,3 +117,34 @@ exports.getTenantUser = async identifier => {
|
|||
return null
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Given an app ID this will attempt to retrieve the tenant ID from it.
|
||||
* @return {null|string} The tenant ID found within the app ID.
|
||||
*/
|
||||
exports.getTenantIDFromAppID = appId => {
|
||||
if (!appId) {
|
||||
return null
|
||||
}
|
||||
const split = appId.split(SEPARATOR)
|
||||
const hasDev = split[1] === DocumentTypes.DEV
|
||||
if ((hasDev && split.length === 3) || (!hasDev && split.length === 2)) {
|
||||
return null
|
||||
}
|
||||
if (hasDev) {
|
||||
return split[2]
|
||||
} else {
|
||||
return split[1]
|
||||
}
|
||||
}
|
||||
|
||||
exports.isUserInAppTenant = (appId, user = null) => {
|
||||
let userTenantId
|
||||
if (user) {
|
||||
userTenantId = user.tenantId || DEFAULT_TENANT_ID
|
||||
} else {
|
||||
userTenantId = getTenantId()
|
||||
}
|
||||
const tenantId = exports.getTenantIDFromAppID(appId) || DEFAULT_TENANT_ID
|
||||
return tenantId === userTenantId
|
||||
}
|
||||
|
|
|
@ -2,6 +2,7 @@ const CouchDB = require("../../db")
|
|||
const { outputProcessing } = require("../../utilities/rowProcessor")
|
||||
const { InternalTables } = require("../../db/utils")
|
||||
const { getFullUser } = require("../../utilities/users")
|
||||
const { BUILTIN_ROLE_IDS } = require("@budibase/auth/roles")
|
||||
|
||||
exports.fetchSelf = async ctx => {
|
||||
const appId = ctx.appId
|
||||
|
@ -27,8 +28,15 @@ exports.fetchSelf = async ctx => {
|
|||
...metadata,
|
||||
})
|
||||
} catch (err) {
|
||||
// user didn't exist in app, don't pretend they do
|
||||
if (user.roleId === BUILTIN_ROLE_IDS.PUBLIC) {
|
||||
ctx.body = {}
|
||||
}
|
||||
// user has a role of some sort, return them
|
||||
else {
|
||||
ctx.body = user
|
||||
}
|
||||
}
|
||||
} else {
|
||||
ctx.body = user
|
||||
}
|
||||
|
|
|
@ -9,7 +9,6 @@ jest.mock("../../../utilities/workerRequests", () => ({
|
|||
getGlobalSelf: jest.fn(() => {
|
||||
return {}
|
||||
}),
|
||||
addAppRoleToUser: jest.fn(),
|
||||
deleteGlobalUser: jest.fn(),
|
||||
}))
|
||||
|
||||
|
|
|
@ -4,14 +4,12 @@ const { Cookies } = require("@budibase/auth").constants
|
|||
const { getRole } = require("@budibase/auth/roles")
|
||||
const { BUILTIN_ROLE_IDS } = require("@budibase/auth/roles")
|
||||
const { generateUserMetadataID } = require("../db/utils")
|
||||
const { dbExists, getTenantIDFromAppID } = require("@budibase/auth/db")
|
||||
const { getTenantId } = require("@budibase/auth/tenancy")
|
||||
const { dbExists } = require("@budibase/auth/db")
|
||||
const { isUserInAppTenant } = require("@budibase/auth/tenancy")
|
||||
const { getCachedSelf } = require("../utilities/global")
|
||||
const CouchDB = require("../db")
|
||||
const env = require("../environment")
|
||||
|
||||
const DEFAULT_TENANT_ID = "default"
|
||||
|
||||
module.exports = async (ctx, next) => {
|
||||
// try to get the appID from the request
|
||||
let requestAppId = getAppId(ctx)
|
||||
|
@ -55,13 +53,21 @@ module.exports = async (ctx, next) => {
|
|||
return next()
|
||||
}
|
||||
|
||||
// If user and app tenant Ids do not match, 403
|
||||
if (env.MULTI_TENANCY && ctx.user) {
|
||||
const userTenantId = getTenantId()
|
||||
const tenantId = getTenantIDFromAppID(appId) || DEFAULT_TENANT_ID
|
||||
if (tenantId !== userTenantId) {
|
||||
ctx.throw(403, "Cannot access application.")
|
||||
}
|
||||
let noCookieSet = false
|
||||
// if the user not in the right tenant then make sure they have no permissions
|
||||
// need to judge this only based on the request app ID,
|
||||
if (
|
||||
env.MULTI_TENANCY &&
|
||||
ctx.user &&
|
||||
requestAppId &&
|
||||
!isUserInAppTenant(requestAppId)
|
||||
) {
|
||||
// don't error, simply remove the users rights (they are a public user)
|
||||
delete ctx.user.builder
|
||||
delete ctx.user.admin
|
||||
delete ctx.user.roles
|
||||
roleId = BUILTIN_ROLE_IDS.PUBLIC
|
||||
noCookieSet = true
|
||||
}
|
||||
|
||||
ctx.appId = appId
|
||||
|
@ -78,9 +84,10 @@ module.exports = async (ctx, next) => {
|
|||
}
|
||||
}
|
||||
if (
|
||||
requestAppId !== appId ||
|
||||
(requestAppId !== appId ||
|
||||
appCookie == null ||
|
||||
appCookie.appId !== requestAppId
|
||||
appCookie.appId !== requestAppId) &&
|
||||
!noCookieSet
|
||||
) {
|
||||
setCookie(ctx, { appId }, Cookies.CurrentApp)
|
||||
}
|
||||
|
|
|
@ -6,13 +6,20 @@ const { BUILTIN_ROLE_IDS } = require("@budibase/auth/roles")
|
|||
const { getDeployedAppID } = require("@budibase/auth/db")
|
||||
const { getGlobalUserParams } = require("@budibase/auth/db")
|
||||
const { user: userCache } = require("@budibase/auth/cache")
|
||||
const { getGlobalDB } = require("@budibase/auth/tenancy")
|
||||
const { getGlobalDB, isUserInAppTenant } = require("@budibase/auth/tenancy")
|
||||
const env = require("../environment")
|
||||
|
||||
exports.updateAppRole = (appId, user) => {
|
||||
if (!user.roles) {
|
||||
if (!user || !user.roles) {
|
||||
return user
|
||||
}
|
||||
// if in an multi-tenancy environment make sure roles are never updated
|
||||
if (env.MULTI_TENANCY && !isUserInAppTenant(appId, user)) {
|
||||
delete user.builder
|
||||
delete user.admin
|
||||
user.roleId = BUILTIN_ROLE_IDS.PUBLIC
|
||||
return user
|
||||
}
|
||||
|
||||
// always use the deployed app
|
||||
user.roleId = user.roles[getDeployedAppID(appId)]
|
||||
// if a role wasn't found then either set as admin (builder) or public (everyone else)
|
||||
|
|
|
@ -2,7 +2,7 @@ const fetch = require("node-fetch")
|
|||
const env = require("../environment")
|
||||
const { checkSlashesInUrl } = require("./index")
|
||||
const { getDeployedAppID } = require("@budibase/auth/db")
|
||||
const { updateAppRole, getGlobalUser } = require("./global")
|
||||
const { updateAppRole } = require("./global")
|
||||
const { Headers } = require("@budibase/auth/constants")
|
||||
const { getTenantId, isTenantIdSet } = require("@budibase/auth/tenancy")
|
||||
|
||||
|
@ -98,38 +98,6 @@ exports.getGlobalSelf = async (ctx, appId = null) => {
|
|||
return json
|
||||
}
|
||||
|
||||
exports.addAppRoleToUser = async (ctx, appId, roleId, userId = null) => {
|
||||
let user,
|
||||
endpoint,
|
||||
body = {}
|
||||
if (!userId) {
|
||||
user = await exports.getGlobalSelf(ctx)
|
||||
endpoint = `/api/global/users/self`
|
||||
} else {
|
||||
user = await getGlobalUser(appId, userId)
|
||||
body._id = userId
|
||||
endpoint = `/api/global/users`
|
||||
}
|
||||
body = {
|
||||
...body,
|
||||
roles: {
|
||||
...user.roles,
|
||||
[getDeployedAppID(appId)]: roleId,
|
||||
},
|
||||
}
|
||||
const response = await fetch(
|
||||
checkSlashesInUrl(env.WORKER_URL + endpoint),
|
||||
request(ctx, {
|
||||
method: "POST",
|
||||
body,
|
||||
})
|
||||
)
|
||||
if (response.status !== 200) {
|
||||
ctx.throw(400, "Unable to save self globally.")
|
||||
}
|
||||
return response.json()
|
||||
}
|
||||
|
||||
exports.removeAppFromUserRoles = async (ctx, appId) => {
|
||||
const deployedAppId = getDeployedAppID(appId)
|
||||
const response = await fetch(
|
||||
|
|
|
@ -20,7 +20,7 @@
|
|||
"manifest": "node ./scripts/gen-collection-info.js"
|
||||
},
|
||||
"dependencies": {
|
||||
"@budibase/handlebars-helpers": "^0.11.6",
|
||||
"@budibase/handlebars-helpers": "^0.11.7",
|
||||
"dayjs": "^1.10.4",
|
||||
"handlebars": "^4.7.6",
|
||||
"handlebars-utils": "^1.0.6",
|
||||
|
|
|
@ -270,15 +270,14 @@
|
|||
resolved "https://registry.yarnpkg.com/@bcoe/v8-coverage/-/v8-coverage-0.2.3.tgz#75a2e8b51cb758a7553d6804a5932d7aace75c39"
|
||||
integrity sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==
|
||||
|
||||
"@budibase/handlebars-helpers@^0.11.6":
|
||||
version "0.11.6"
|
||||
resolved "https://registry.yarnpkg.com/@budibase/handlebars-helpers/-/handlebars-helpers-0.11.6.tgz#00e924a0142aac41c07e3d104607759635eec952"
|
||||
integrity sha512-FLtCWkh0cNHC0/X6Pt5Xjmp4/r4tCpv5f5sP1JcZsaSKPyE5gpNu/+fqUxgDTzVS3PVo0KE6hdRPKVWvVqwPEw==
|
||||
"@budibase/handlebars-helpers@^0.11.7":
|
||||
version "0.11.7"
|
||||
resolved "https://registry.yarnpkg.com/@budibase/handlebars-helpers/-/handlebars-helpers-0.11.7.tgz#8e5f9843d7dd10503e9f608555a96ccf4d836c46"
|
||||
integrity sha512-PvGHAv22cWSFExs1kc0WglwsmCEUEOqWvSp6JCFZwtc3qAAr5yMfLK8WGVQ63ALvyzWZiyxF+yrlzeeaohCMJw==
|
||||
dependencies:
|
||||
array-sort "^1.0.0"
|
||||
define-property "^2.0.2"
|
||||
extend-shallow "^3.0.2"
|
||||
"falsey" "^1.0.0"
|
||||
for-in "^1.0.2"
|
||||
get-object "^0.2.0"
|
||||
get-value "^3.0.1"
|
||||
|
@ -1734,11 +1733,6 @@ extsprintf@^1.2.0:
|
|||
resolved "https://registry.yarnpkg.com/extsprintf/-/extsprintf-1.4.0.tgz#e2689f8f356fad62cca65a3a91c5df5f9551692f"
|
||||
integrity sha1-4mifjzVvrWLMplo6kcXfX5VRaS8=
|
||||
|
||||
"falsey@^1.0.0":
|
||||
version "1.0.0"
|
||||
resolved "https://registry.yarnpkg.com/falsey/-/falsey-1.0.0.tgz#71bdd775c24edad9f2f5c015ce8be24400bb5d7d"
|
||||
integrity sha512-zMDNZ/Ipd8MY0+346CPvhzP1AsiVyNfTOayJza4reAIWf72xbkuFUDcJNxSAsQE1b9Bu0wijKb8Ngnh/a7fI5w==
|
||||
|
||||
fast-deep-equal@^3.1.1:
|
||||
version "3.1.3"
|
||||
resolved "https://registry.yarnpkg.com/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz#3a7d56b559d6cbc3eb512325244e619a65c6c525"
|
||||
|
|
|
@ -54,6 +54,11 @@ async function authInternal(ctx, user, err = null, info = null) {
|
|||
|
||||
// just store the user ID
|
||||
ctx.cookies.set(Cookies.Auth, user.token, config)
|
||||
// get rid of any app cookies on login
|
||||
// have to check test because this breaks cypress
|
||||
if (!env.isTest()) {
|
||||
clearCookie(ctx, Cookies.CurrentApp)
|
||||
}
|
||||
}
|
||||
|
||||
exports.authenticate = async (ctx, next) => {
|
||||
|
@ -117,6 +122,7 @@ exports.resetUpdate = async ctx => {
|
|||
|
||||
exports.logout = async ctx => {
|
||||
clearCookie(ctx, Cookies.Auth)
|
||||
clearCookie(ctx, Cookies.CurrentApp)
|
||||
ctx.body = { message: "User logged out." }
|
||||
}
|
||||
|
||||
|
|
|
@ -17,6 +17,8 @@ describe("/api/global/email", () => {
|
|||
afterAll(setup.afterAll)
|
||||
|
||||
async function sendRealEmail(purpose) {
|
||||
let response, text
|
||||
try {
|
||||
await config.saveEtherealSmtpConfig()
|
||||
await config.saveSettingsConfig()
|
||||
const user = await config.getUser("test@test.com")
|
||||
|
@ -34,8 +36,16 @@ describe("/api/global/email", () => {
|
|||
const testUrl = nodemailer.getTestMessageUrl(res.body)
|
||||
console.log(`${purpose} URL: ${testUrl}`)
|
||||
expect(testUrl).toBeDefined()
|
||||
const response = await fetch(testUrl)
|
||||
const text = await response.text()
|
||||
response = await fetch(testUrl)
|
||||
text = await response.text()
|
||||
} catch (err) {
|
||||
// ethereal hiccup, can't test right now
|
||||
if (parseInt(err.status) >= 400) {
|
||||
return
|
||||
} else {
|
||||
throw err
|
||||
}
|
||||
}
|
||||
let toCheckFor
|
||||
switch (purpose) {
|
||||
case EmailTemplatePurpose.WELCOME:
|
||||
|
|
|
@ -38,6 +38,9 @@ class TestConfiguration {
|
|||
request.request = {
|
||||
body: config,
|
||||
}
|
||||
request.throw = (status, err) => {
|
||||
throw { status, message: err }
|
||||
}
|
||||
if (params) {
|
||||
request.params = params
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue