Typescript re-write of the roles layer, this is the backbone of a lot of our security features, and I believe the issue was generally to do with a lack of handling of null-ish inputs.

This commit is contained in:
mike12345567 2022-11-08 18:25:37 +00:00
parent 963fc738f4
commit 693d6b6242
3 changed files with 97 additions and 79 deletions

View File

@ -26,9 +26,9 @@ type UploadParams = {
bucket: string bucket: string
filename: string filename: string
path: string path: string
type: string type?: string
// can be undefined, we will remove it // can be undefined, we will remove it
metadata: { metadata?: {
[key: string]: string | undefined [key: string]: string | undefined
} }
} }

View File

@ -1,19 +1,21 @@
const { cloneDeep } = require("lodash/fp") import { BUILTIN_PERMISSION_IDS, PermissionLevels } from "./permissions"
const { BUILTIN_PERMISSION_IDS, PermissionLevels } = require("./permissions") import {
const {
generateRoleID, generateRoleID,
getRoleParams, getRoleParams,
DocumentType, DocumentType,
SEPARATOR, SEPARATOR,
} = require("../db/utils") } from "../db/utils"
const { getAppDB } = require("../context") import { getAppDB } from "../context"
const { doWithDB } = require("../db") import { doWithDB } from "../db"
import { Screen, Role as RoleDoc } from "@budibase/types"
const { cloneDeep } = require("lodash/fp")
const BUILTIN_IDS = { const BUILTIN_IDS = {
ADMIN: "ADMIN", ADMIN: "ADMIN",
POWER: "POWER", POWER: "POWER",
BASIC: "BASIC", BASIC: "BASIC",
PUBLIC: "PUBLIC", PUBLIC: "PUBLIC",
BUILDER: "BUILDER",
} }
// exclude internal roles like builder // exclude internal roles like builder
@ -24,19 +26,26 @@ const EXTERNAL_BUILTIN_ROLE_IDS = [
BUILTIN_IDS.PUBLIC, BUILTIN_IDS.PUBLIC,
] ]
function Role(id, name) { export class Role {
this._id = id _id: string
this.name = name name: string
} permissionId?: string
inherits?: string
Role.prototype.addPermission = function (permissionId) { constructor(id: string, name: string) {
this.permissionId = permissionId this._id = id
return this this.name = name
} }
Role.prototype.addInheritance = function (inherits) { addPermission(permissionId: string) {
this.inherits = inherits this.permissionId = permissionId
return this return this
}
addInheritance(inherits: string) {
this.inherits = inherits
return this
}
} }
const BUILTIN_ROLES = { const BUILTIN_ROLES = {
@ -57,27 +66,30 @@ const BUILTIN_ROLES = {
), ),
} }
exports.getBuiltinRoles = () => { export function getBuiltinRoles() {
return cloneDeep(BUILTIN_ROLES) return cloneDeep(BUILTIN_ROLES)
} }
exports.BUILTIN_ROLE_ID_ARRAY = Object.values(BUILTIN_ROLES).map( export const BUILTIN_ROLE_ID_ARRAY = Object.values(BUILTIN_ROLES).map(
role => role._id role => role._id
) )
exports.BUILTIN_ROLE_NAME_ARRAY = Object.values(BUILTIN_ROLES).map( export const BUILTIN_ROLE_NAME_ARRAY = Object.values(BUILTIN_ROLES).map(
role => role.name role => role.name
) )
function isBuiltin(role) { export function isBuiltin(role?: string) {
return exports.BUILTIN_ROLE_ID_ARRAY.some(builtin => role.includes(builtin)) return BUILTIN_ROLE_ID_ARRAY.some(builtin => role?.includes(builtin))
} }
/** /**
* Works through the inheritance ranks to see how far up the builtin stack this ID is. * Works through the inheritance ranks to see how far up the builtin stack this ID is.
*/ */
exports.builtinRoleToNumber = id => { export function builtinRoleToNumber(id?: string) {
const builtins = exports.getBuiltinRoles() if (!id) {
return 0
}
const builtins = getBuiltinRoles()
const MAX = Object.values(builtins).length + 1 const MAX = Object.values(builtins).length + 1
if (id === BUILTIN_IDS.ADMIN || id === BUILTIN_IDS.BUILDER) { if (id === BUILTIN_IDS.ADMIN || id === BUILTIN_IDS.BUILDER) {
return MAX return MAX
@ -97,14 +109,14 @@ exports.builtinRoleToNumber = id => {
/** /**
* Converts any role to a number, but has to be async to get the roles from db. * Converts any role to a number, but has to be async to get the roles from db.
*/ */
exports.roleToNumber = async id => { export async function roleToNumber(id?: string) {
if (exports.isBuiltin(id)) { if (isBuiltin(id)) {
return exports.builtinRoleToNumber(id) return builtinRoleToNumber(id)
} }
const hierarchy = await exports.getUserRoleHierarchy(id) const hierarchy = (await getUserRoleHierarchy(id)) as RoleDoc[]
for (let role of hierarchy) { for (let role of hierarchy) {
if (isBuiltin(role.inherits)) { if (isBuiltin(role?.inherits)) {
return exports.builtinRoleToNumber(role.inherits) + 1 return builtinRoleToNumber(role.inherits) + 1
} }
} }
return 0 return 0
@ -113,15 +125,14 @@ exports.roleToNumber = async id => {
/** /**
* Returns whichever builtin roleID is lower. * Returns whichever builtin roleID is lower.
*/ */
exports.lowerBuiltinRoleID = (roleId1, roleId2) => { export function lowerBuiltinRoleID(roleId1?: string, roleId2?: string) {
if (!roleId1) { if (!roleId1) {
return roleId2 return roleId2
} }
if (!roleId2) { if (!roleId2) {
return roleId1 return roleId1
} }
return exports.builtinRoleToNumber(roleId1) > return builtinRoleToNumber(roleId1) > builtinRoleToNumber(roleId2)
exports.builtinRoleToNumber(roleId2)
? roleId2 ? roleId2
: roleId1 : roleId1
} }
@ -132,11 +143,11 @@ exports.lowerBuiltinRoleID = (roleId1, roleId2) => {
* @param {string|null} roleId The level ID to lookup. * @param {string|null} roleId The level ID to lookup.
* @returns {Promise<Role|object|null>} The role object, which may contain an "inherits" property. * @returns {Promise<Role|object|null>} The role object, which may contain an "inherits" property.
*/ */
exports.getRole = async roleId => { export async function getRole(roleId?: string) {
if (!roleId) { if (!roleId) {
return null return null
} }
let role = {} let role: any = {}
// built in roles mostly come from the in-code implementation, // built in roles mostly come from the in-code implementation,
// but can be extended by a doc stored about them (e.g. permissions) // but can be extended by a doc stored about them (e.g. permissions)
if (isBuiltin(roleId)) { if (isBuiltin(roleId)) {
@ -146,10 +157,10 @@ exports.getRole = async roleId => {
} }
try { try {
const db = getAppDB() const db = getAppDB()
const dbRole = await db.get(exports.getDBRoleID(roleId)) const dbRole = await db.get(getDBRoleID(roleId))
role = Object.assign(role, dbRole) role = Object.assign(role, dbRole)
// finalise the ID // finalise the ID
role._id = exports.getExternalRoleID(role._id) role._id = getExternalRoleID(role._id)
} catch (err) { } catch (err) {
// only throw an error if there is no role at all // only throw an error if there is no role at all
if (Object.keys(role).length === 0) { if (Object.keys(role).length === 0) {
@ -162,12 +173,12 @@ exports.getRole = async roleId => {
/** /**
* Simple function to get all the roles based on the top level user role ID. * Simple function to get all the roles based on the top level user role ID.
*/ */
async function getAllUserRoles(userRoleId) { async function getAllUserRoles(userRoleId?: string): Promise<RoleDoc[]> {
// admins have access to all roles // admins have access to all roles
if (userRoleId === BUILTIN_IDS.ADMIN) { if (userRoleId === BUILTIN_IDS.ADMIN) {
return exports.getAllRoles() return getAllRoles()
} }
let currentRole = await exports.getRole(userRoleId) let currentRole = await getRole(userRoleId)
let roles = currentRole ? [currentRole] : [] let roles = currentRole ? [currentRole] : []
let roleIds = [userRoleId] let roleIds = [userRoleId]
// get all the inherited roles // get all the inherited roles
@ -177,7 +188,7 @@ async function getAllUserRoles(userRoleId) {
roleIds.indexOf(currentRole.inherits) === -1 roleIds.indexOf(currentRole.inherits) === -1
) { ) {
roleIds.push(currentRole.inherits) roleIds.push(currentRole.inherits)
currentRole = await exports.getRole(currentRole.inherits) currentRole = await getRole(currentRole.inherits)
roles.push(currentRole) roles.push(currentRole)
} }
return roles return roles
@ -191,7 +202,10 @@ async function getAllUserRoles(userRoleId) {
* @returns {Promise<string[]|object[]>} returns an ordered array of the roles, with the first being their * @returns {Promise<string[]|object[]>} returns an ordered array of the roles, with the first being their
* highest level of access and the last being the lowest level. * highest level of access and the last being the lowest level.
*/ */
exports.getUserRoleHierarchy = async (userRoleId, opts = { idOnly: true }) => { export async function getUserRoleHierarchy(
userRoleId?: string,
opts = { idOnly: true }
) {
// special case, if they don't have a role then they are a public user // special case, if they don't have a role then they are a public user
const roles = await getAllUserRoles(userRoleId) const roles = await getAllUserRoles(userRoleId)
return opts.idOnly ? roles.map(role => role._id) : roles return opts.idOnly ? roles.map(role => role._id) : roles
@ -200,9 +214,12 @@ exports.getUserRoleHierarchy = async (userRoleId, opts = { idOnly: true }) => {
// this function checks that the provided permissions are in an array format // this function checks that the provided permissions are in an array format
// some templates/older apps will use a simple string instead of array for roles // some templates/older apps will use a simple string instead of array for roles
// convert the string to an array using the theory that write is higher than read // convert the string to an array using the theory that write is higher than read
exports.checkForRoleResourceArray = (rolePerms, resourceId) => { export function checkForRoleResourceArray(
rolePerms: { [key: string]: string[] },
resourceId: string
) {
if (rolePerms && !Array.isArray(rolePerms[resourceId])) { if (rolePerms && !Array.isArray(rolePerms[resourceId])) {
const permLevel = rolePerms[resourceId] const permLevel = rolePerms[resourceId] as any
rolePerms[resourceId] = [permLevel] rolePerms[resourceId] = [permLevel]
if (permLevel === PermissionLevels.WRITE) { if (permLevel === PermissionLevels.WRITE) {
rolePerms[resourceId].push(PermissionLevels.READ) rolePerms[resourceId].push(PermissionLevels.READ)
@ -215,7 +232,7 @@ exports.checkForRoleResourceArray = (rolePerms, resourceId) => {
* Given an app ID this will retrieve all of the roles that are currently within that app. * Given an app ID this will retrieve all of the roles that are currently within that app.
* @return {Promise<object[]>} An array of the role objects that were found. * @return {Promise<object[]>} An array of the role objects that were found.
*/ */
exports.getAllRoles = async appId => { export async function getAllRoles(appId?: string) {
if (appId) { if (appId) {
return doWithDB(appId, internal) return doWithDB(appId, internal)
} else { } else {
@ -227,30 +244,30 @@ exports.getAllRoles = async appId => {
} }
return internal(appDB) return internal(appDB)
} }
async function internal(db) { async function internal(db: any) {
let roles = [] let roles: RoleDoc[] = []
if (db) { if (db) {
const body = await db.allDocs( const body = await db.allDocs(
getRoleParams(null, { getRoleParams(null, {
include_docs: true, include_docs: true,
}) })
) )
roles = body.rows.map(row => row.doc) roles = body.rows.map((row: any) => row.doc)
} }
const builtinRoles = exports.getBuiltinRoles() const builtinRoles = getBuiltinRoles()
// need to combine builtin with any DB record of them (for sake of permissions) // need to combine builtin with any DB record of them (for sake of permissions)
for (let builtinRoleId of EXTERNAL_BUILTIN_ROLE_IDS) { for (let builtinRoleId of EXTERNAL_BUILTIN_ROLE_IDS) {
const builtinRole = builtinRoles[builtinRoleId] const builtinRole = builtinRoles[builtinRoleId]
const dbBuiltin = roles.filter( const dbBuiltin = roles.filter(
dbRole => exports.getExternalRoleID(dbRole._id) === builtinRoleId dbRole => getExternalRoleID(dbRole._id) === builtinRoleId
)[0] )[0]
if (dbBuiltin == null) { if (dbBuiltin == null) {
roles.push(builtinRole || builtinRoles.BASIC) roles.push(builtinRole || builtinRoles.BASIC)
} else { } else {
// remove role and all back after combining with the builtin // remove role and all back after combining with the builtin
roles = roles.filter(role => role._id !== dbBuiltin._id) roles = roles.filter(role => role._id !== dbBuiltin._id)
dbBuiltin._id = exports.getExternalRoleID(dbBuiltin._id) dbBuiltin._id = getExternalRoleID(dbBuiltin._id)
roles.push(Object.assign(builtinRole, dbBuiltin)) roles.push(Object.assign(builtinRole, dbBuiltin))
} }
} }
@ -260,7 +277,7 @@ exports.getAllRoles = async appId => {
continue continue
} }
for (let resourceId of Object.keys(role.permissions)) { for (let resourceId of Object.keys(role.permissions)) {
role.permissions = exports.checkForRoleResourceArray( role.permissions = checkForRoleResourceArray(
role.permissions, role.permissions,
resourceId resourceId
) )
@ -277,11 +294,11 @@ exports.getAllRoles = async appId => {
* @param subResourceId The sub resource being requested * @param subResourceId The sub resource being requested
* @return {Promise<{permissions}|Object>} returns the permissions required to access. * @return {Promise<{permissions}|Object>} returns the permissions required to access.
*/ */
exports.getRequiredResourceRole = async ( export async function getRequiredResourceRole(
permLevel, permLevel: string,
{ resourceId, subResourceId } { resourceId, subResourceId }: { resourceId?: string; subResourceId?: string }
) => { ) {
const roles = await exports.getAllRoles() const roles = await getAllRoles()
let main = [], let main = [],
sub = [] sub = []
for (let role of roles) { for (let role of roles) {
@ -289,8 +306,8 @@ exports.getRequiredResourceRole = async (
if (!role.permissions) { if (!role.permissions) {
continue continue
} }
const mainRes = role.permissions[resourceId] const mainRes = resourceId ? role.permissions[resourceId] : undefined
const subRes = role.permissions[subResourceId] const subRes = subResourceId ? role.permissions[subResourceId] : undefined
if (mainRes && mainRes.indexOf(permLevel) !== -1) { if (mainRes && mainRes.indexOf(permLevel) !== -1) {
main.push(role._id) main.push(role._id)
} else if (subRes && subRes.indexOf(permLevel) !== -1) { } else if (subRes && subRes.indexOf(permLevel) !== -1) {
@ -301,12 +318,13 @@ exports.getRequiredResourceRole = async (
return main.concat(sub) return main.concat(sub)
} }
class AccessController { export class AccessController {
userHierarchies: { [key: string]: string[] }
constructor() { constructor() {
this.userHierarchies = {} this.userHierarchies = {}
} }
async hasAccess(tryingRoleId, userRoleId) { async hasAccess(tryingRoleId?: string, userRoleId?: string) {
// special cases, the screen has no role, the roles are the same or the user // special cases, the screen has no role, the roles are the same or the user
// is currently in the builder // is currently in the builder
if ( if (
@ -318,16 +336,18 @@ class AccessController {
) { ) {
return true return true
} }
let roleIds = this.userHierarchies[userRoleId] let roleIds = userRoleId ? this.userHierarchies[userRoleId] : null
if (!roleIds) { if (!roleIds && userRoleId) {
roleIds = await exports.getUserRoleHierarchy(userRoleId) roleIds = (await getUserRoleHierarchy(userRoleId, {
idOnly: true,
})) as string[]
this.userHierarchies[userRoleId] = roleIds this.userHierarchies[userRoleId] = roleIds
} }
return roleIds.indexOf(tryingRoleId) !== -1 return roleIds?.indexOf(tryingRoleId) !== -1
} }
async checkScreensAccess(screens, userRoleId) { async checkScreensAccess(screens: Screen[], userRoleId: string) {
let accessibleScreens = [] let accessibleScreens = []
// don't want to handle this with Promise.all as this would mean all custom roles would be // don't want to handle this with Promise.all as this would mean all custom roles would be
// retrieved at same time, it is likely a custom role will be re-used and therefore want // retrieved at same time, it is likely a custom role will be re-used and therefore want
@ -341,8 +361,8 @@ class AccessController {
return accessibleScreens return accessibleScreens
} }
async checkScreenAccess(screen, userRoleId) { async checkScreenAccess(screen: Screen, userRoleId: string) {
const roleId = screen && screen.routing ? screen.routing.roleId : null const roleId = screen && screen.routing ? screen.routing.roleId : undefined
if (await this.hasAccess(roleId, userRoleId)) { if (await this.hasAccess(roleId, userRoleId)) {
return screen return screen
} }
@ -353,8 +373,8 @@ class AccessController {
/** /**
* Adds the "role_" for builtin role IDs which are to be written to the DB (for permissions). * Adds the "role_" for builtin role IDs which are to be written to the DB (for permissions).
*/ */
exports.getDBRoleID = roleId => { function getDBRoleID(roleId?: string) {
if (roleId.startsWith(DocumentType.ROLE)) { if (roleId?.startsWith(DocumentType.ROLE)) {
return roleId return roleId
} }
return generateRoleID(roleId) return generateRoleID(roleId)
@ -363,15 +383,12 @@ exports.getDBRoleID = roleId => {
/** /**
* Remove the "role_" from builtin role IDs that have been written to the DB (for permissions). * Remove the "role_" from builtin role IDs that have been written to the DB (for permissions).
*/ */
exports.getExternalRoleID = roleId => { function getExternalRoleID(roleId?: string) {
// for built in roles we want to remove the DB role ID element (role_) // for built-in roles we want to remove the DB role ID element (role_)
if (roleId.startsWith(DocumentType.ROLE) && isBuiltin(roleId)) { if (roleId?.startsWith(DocumentType.ROLE) && isBuiltin(roleId)) {
return roleId.split(`${DocumentType.ROLE}${SEPARATOR}`)[1] return roleId.split(`${DocumentType.ROLE}${SEPARATOR}`)[1]
} }
return roleId return roleId
} }
exports.AccessController = AccessController export const BUILTIN_ROLE_IDS = BUILTIN_IDS
exports.BUILTIN_ROLE_IDS = BUILTIN_IDS
exports.isBuiltin = isBuiltin
exports.Role = Role

View File

@ -3,4 +3,5 @@ import { Document } from "../document"
export interface Role extends Document { export interface Role extends Document {
permissionId: string permissionId: string
inherits: string inherits: string
permissions: { [key: string]: string[] }
} }