From 659aeee16424213324901a2048a96f0f79e259cc Mon Sep 17 00:00:00 2001 From: Anurag Shukla Date: Tue, 25 Oct 2022 23:02:10 +0530 Subject: [PATCH 1/5] Fix: server user query error on first time resetting db --- server/backend/src/scripts/ResetDB.ts | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/server/backend/src/scripts/ResetDB.ts b/server/backend/src/scripts/ResetDB.ts index 446239f42..1316d2820 100644 --- a/server/backend/src/scripts/ResetDB.ts +++ b/server/backend/src/scripts/ResetDB.ts @@ -46,8 +46,13 @@ let scriptSequence = ['recreate-tables', 'auth-bootstrap']; setupDbConnection(); // Remove server users from keycloak - const allServerUsers = await BasicModel.getRecords('server_user', {}); - await KeycloakUtils.removeAllUsers(); + try { + const allServerUsers = await BasicModel.getRecords('server_user', {}); + await KeycloakUtils.removeAllUsers(); + } catch (e) { + logger.warn(e) + } + await BBPromise.mapSeries(scriptSequence, async (action) => { switch (action) { From 21ab34fdaa05222aa038c2c276bd414299aeaa8d Mon Sep 17 00:00:00 2001 From: Jain <@paypal.com> Date: Fri, 4 Nov 2022 16:57:23 +0530 Subject: [PATCH 2/5] :hammer: Fetching role directly from server_user table --- server/backend/src/scripts/AuthBootstrap.ts | 4 ++-- server/backend/src/scripts/ResetDB.ts | 14 +++++++------- .../ServerUserController.ts | 4 ++-- .../src/user-routes-controllers/TaskController.ts | 4 ++-- .../src/utils/auth/tokenAuthoriser/Index.ts | 4 ++-- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/server/backend/src/scripts/AuthBootstrap.ts b/server/backend/src/scripts/AuthBootstrap.ts index fb7c28b5a..f40590dd5 100644 --- a/server/backend/src/scripts/AuthBootstrap.ts +++ b/server/backend/src/scripts/AuthBootstrap.ts @@ -6,7 +6,7 @@ import { BasicModel } from '@karya/common'; import { ServerUser } from '@karya/core'; import { getCreationCode } from '@karya/misc-utils'; -import * as TokenAuthHandler from '../utils/auth/tokenAuthoriser/tokenAuthHandler/TokenAuthHandler'; +// import * as TokenAuthHandler from '../utils/auth/tokenAuthoriser/tokenAuthHandler/TokenAuthHandler'; /** * Function to bootstrap authentication. Creates an admin user and outputs a creation code. @@ -40,7 +40,7 @@ export async function bootstrapAuth() { const insertedRecord = await BasicModel.insertRecord('server_user', workProvider); /**Create role for admin */ - await TokenAuthHandler.assignRole(insertedRecord, 'ADMIN'); + // await TokenAuthHandler.assignRole(insertedRecord, 'ADMIN'); if (insertedRecord === null) { throw new Error('Failed to create record'); diff --git a/server/backend/src/scripts/ResetDB.ts b/server/backend/src/scripts/ResetDB.ts index 1316d2820..242912532 100644 --- a/server/backend/src/scripts/ResetDB.ts +++ b/server/backend/src/scripts/ResetDB.ts @@ -12,7 +12,7 @@ import { Promise as BBPromise } from 'bluebird'; import { knex, setupDbConnection, ServerDbFunctions, mainLogger as logger, BasicModel } from '@karya/common'; import { bootstrapAuth } from './AuthBootstrap'; import { createAllMatViews } from '../models/MatViewModel'; -import * as KeycloakUtils from '../utils/auth/KeycloakUtils'; +// import * as KeycloakUtils from '../utils/auth/KeycloakUtils'; /** * Function to recreate all tables in the database @@ -46,12 +46,12 @@ let scriptSequence = ['recreate-tables', 'auth-bootstrap']; setupDbConnection(); // Remove server users from keycloak - try { - const allServerUsers = await BasicModel.getRecords('server_user', {}); - await KeycloakUtils.removeAllUsers(); - } catch (e) { - logger.warn(e) - } + // try { + // const allServerUsers = await BasicModel.getRecords('server_user', {}); + // await KeycloakUtils.removeAllUsers(); + // } catch (e) { + // logger.warn(e) + // } await BBPromise.mapSeries(scriptSequence, async (action) => { diff --git a/server/backend/src/user-routes-controllers/ServerUserController.ts b/server/backend/src/user-routes-controllers/ServerUserController.ts index 264717c13..d286ee2d4 100644 --- a/server/backend/src/user-routes-controllers/ServerUserController.ts +++ b/server/backend/src/user-routes-controllers/ServerUserController.ts @@ -8,7 +8,7 @@ import { ServerUser } from '@karya/core'; import { getCreationCode } from '@karya/misc-utils'; import { UserRouteMiddleware } from '../routes/UserRoutes'; import * as HttpResponse from '@karya/http-response'; -import * as TokenAuthHandler from '../utils/auth/tokenAuthoriser/tokenAuthHandler/TokenAuthHandler'; +// import * as TokenAuthHandler from '../utils/auth/tokenAuthoriser/tokenAuthHandler/TokenAuthHandler'; /** * Create a new server user. Cannot create an admin through this endpoint. @@ -38,7 +38,7 @@ export const create: UserRouteMiddleware = async (ctx) => { const record = await BasicModel.insertRecord('server_user', server_user); // Assign work-provider role - await TokenAuthHandler.assignRole(record, server_user.role!); + // await TokenAuthHandler.assignRole(record, server_user.role!); HttpResponse.OK(ctx, record); }; diff --git a/server/backend/src/user-routes-controllers/TaskController.ts b/server/backend/src/user-routes-controllers/TaskController.ts index 6ef319807..f8402b253 100644 --- a/server/backend/src/user-routes-controllers/TaskController.ts +++ b/server/backend/src/user-routes-controllers/TaskController.ts @@ -23,7 +23,7 @@ import { upsertKaryaFile } from '../models/KaryaFileModel'; import { inputProcessorQ, outputGeneratorQ } from '../task-ops/Index'; import { csvToJson } from '../scenarios/Common'; import { Promise as BBPromise } from 'bluebird'; -import * as TokenAuthHandler from '../utils/auth/tokenAuthoriser/tokenAuthHandler/TokenAuthHandler'; +// import * as TokenAuthHandler from '../utils/auth/tokenAuthoriser/tokenAuthHandler/TokenAuthHandler'; // Task route state for routes dealing with a specific task type TaskState = { task: TaskRecordType }; @@ -69,7 +69,7 @@ export const create: UserRouteMiddleware = async (ctx) => { try { const insertedRecord = await BasicModel.insertRecord('task', task); - await TokenAuthHandler.grantTaskPermission(user, insertedRecord.id, ['read', 'edit']); + // await TokenAuthHandler.grantTaskPermission(user, insertedRecord.id, ['read', 'edit']); HttpResponse.OK(ctx, insertedRecord); } catch (e) { // Internal server error diff --git a/server/backend/src/utils/auth/tokenAuthoriser/Index.ts b/server/backend/src/utils/auth/tokenAuthoriser/Index.ts index aa78febcd..53e708d7b 100644 --- a/server/backend/src/utils/auth/tokenAuthoriser/Index.ts +++ b/server/backend/src/utils/auth/tokenAuthoriser/Index.ts @@ -8,9 +8,9 @@ import * as HttpResponse from '@karya/http-response'; const policyParser = new PolicyParser(Policy); export const tokenAuthoriser: UserRouteMiddleware = async (ctx, next) => { - const resourceTokens = policyParser.getResourceTokens(ctx); + const resourceTokens = policyParser.getResourceTokens(ctx); //reource == api const serverUser = await BasicModel.getSingle('server_user', { id: ctx.state.entity.id }); - const userTokens = await TokenAuthHandler.getTokens(serverUser); + const userTokens = [serverUser.role]; const accessAllowed = isAccessAllowed(userTokens, resourceTokens); if (!accessAllowed) return HttpResponse.Forbidden(ctx, 'User does not have enough permissions, please contact admin'); From c43a38a973df08f9f22a24f3a5dae9658d53e0b9 Mon Sep 17 00:00:00 2001 From: Jain <@paypal.com> Date: Tue, 8 Nov 2022 20:56:18 +0530 Subject: [PATCH 3/5] :hammer: Adding a new column of role_mappings in server_user which maps user priviledges to their respective roles --- server/backend/src/Server.ts | 5 ++++- server/backend/src/scripts/AuthBootstrap.ts | 3 +++ server/core/schema/specs/KaryaDb.ts | 1 + 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/server/backend/src/Server.ts b/server/backend/src/Server.ts index 814926cf5..44278e24c 100644 --- a/server/backend/src/Server.ts +++ b/server/backend/src/Server.ts @@ -3,7 +3,6 @@ import dotenv from 'dotenv'; dotenv.config(); - import { loadSecrets } from './secrets/Index'; import cors from '@koa/cors'; import Koa from 'koa'; @@ -15,6 +14,10 @@ import { catchAll, httpRequestLogger, setupDbConnection, mainLogger as logger } import { createBlobContainers, createLocalFolders, setupBlobStore } from '@karya/common'; import { envGetNumber, envGetString } from '@karya/misc-utils'; +// enable this next line in case you are facing issue : "UNABLE_TO_FIND_LOCAL_ISSUER_CERTIFICATE" while registering into application +// process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0'; + + // Setup Koa application const app = new Koa(); diff --git a/server/backend/src/scripts/AuthBootstrap.ts b/server/backend/src/scripts/AuthBootstrap.ts index f40590dd5..9c0cbd1f0 100644 --- a/server/backend/src/scripts/AuthBootstrap.ts +++ b/server/backend/src/scripts/AuthBootstrap.ts @@ -30,6 +30,9 @@ export async function bootstrapAuth() { /** Create an admin user */ const workProvider: ServerUser = { role: 'ADMIN', + role_mappings: { + role_mappings: ['ADMIN'] + }, access_code, full_name: '', email: '', diff --git a/server/core/schema/specs/KaryaDb.ts b/server/core/schema/specs/KaryaDb.ts index 9407498d1..fd689d291 100644 --- a/server/core/schema/specs/KaryaDb.ts +++ b/server/core/schema/specs/KaryaDb.ts @@ -72,6 +72,7 @@ const karyaDb: DatabaseSpec = { ['auth_id', ['string', 64], 'not unique', 'nullable', 'mutable'], ['id_token', ['text'], 'unique', 'nullable', 'mutable'], ['role', ['string', 32, 'ServerRole'], 'not unique', 'not nullable', 'not mutable'], + ['role_mappings', ['stringarray'], 'not unique', 'nullable', 'mutable'], ['full_name', ['string', 64], 'not unique', 'nullable', 'mutable'], ['email', ['string', 64], 'not unique', 'nullable', 'mutable'], ], From 6f39373c53eb27e100041f3d9a27cb19a7c7600e Mon Sep 17 00:00:00 2001 From: Jain <@paypal.com> Date: Mon, 14 Nov 2022 08:53:32 +0530 Subject: [PATCH 4/5] :hammer: Fixing bug of role-mappings column not inserting the mappings when new users got added from UI --- .../src/user-routes-controllers/ServerUserController.ts | 8 ++++++++ .../src/utils/auth/tokenAuthoriser/RoleMappings.ts | 5 +++++ 2 files changed, 13 insertions(+) create mode 100644 server/backend/src/utils/auth/tokenAuthoriser/RoleMappings.ts diff --git a/server/backend/src/user-routes-controllers/ServerUserController.ts b/server/backend/src/user-routes-controllers/ServerUserController.ts index d286ee2d4..473fde024 100644 --- a/server/backend/src/user-routes-controllers/ServerUserController.ts +++ b/server/backend/src/user-routes-controllers/ServerUserController.ts @@ -8,6 +8,7 @@ import { ServerUser } from '@karya/core'; import { getCreationCode } from '@karya/misc-utils'; import { UserRouteMiddleware } from '../routes/UserRoutes'; import * as HttpResponse from '@karya/http-response'; +import RoleMappings from "../utils/auth/tokenAuthoriser/RoleMappings"; // import * as TokenAuthHandler from '../utils/auth/tokenAuthoriser/tokenAuthHandler/TokenAuthHandler'; /** @@ -20,6 +21,13 @@ export const create: UserRouteMiddleware = async (ctx) => { if (server_user.role === 'ADMIN') { return HttpResponse.BadRequest(ctx, 'Cannot create user with ADMIN role'); } + if (server_user.role === 'WORK_PROVIDER') { + server_user.role_mappings = RoleMappings.WORK_PROVIDER + } + if (server_user.role === 'COORDINATOR'){ + server_user.role_mappings = RoleMappings.COORDINATOR + + } // Generate access code and ensure it is not repeated let access_code: string = ''; diff --git a/server/backend/src/utils/auth/tokenAuthoriser/RoleMappings.ts b/server/backend/src/utils/auth/tokenAuthoriser/RoleMappings.ts new file mode 100644 index 000000000..998809144 --- /dev/null +++ b/server/backend/src/utils/auth/tokenAuthoriser/RoleMappings.ts @@ -0,0 +1,5 @@ +export default { + ADMIN: {role_mappings:['ADMIN']}, + WORK_PROVIDER: {role_mappings:['WORK_PROVIDER']}, + COORDINATOR: {role_mappings:['COORDINATOR']} + }; \ No newline at end of file From ab7755a234be0fb201d8619c34365f3ccf0ba87f Mon Sep 17 00:00:00 2001 From: Anurag Shukla Date: Mon, 9 Jan 2023 22:27:15 +0530 Subject: [PATCH 5/5] Fix: use role_mappings instead of role to get user tokens --- server/backend/src/utils/auth/tokenAuthoriser/Index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/backend/src/utils/auth/tokenAuthoriser/Index.ts b/server/backend/src/utils/auth/tokenAuthoriser/Index.ts index 53e708d7b..44f64dd92 100644 --- a/server/backend/src/utils/auth/tokenAuthoriser/Index.ts +++ b/server/backend/src/utils/auth/tokenAuthoriser/Index.ts @@ -10,7 +10,7 @@ const policyParser = new PolicyParser(Policy); export const tokenAuthoriser: UserRouteMiddleware = async (ctx, next) => { const resourceTokens = policyParser.getResourceTokens(ctx); //reource == api const serverUser = await BasicModel.getSingle('server_user', { id: ctx.state.entity.id }); - const userTokens = [serverUser.role]; + const userTokens = serverUser.role_mappings ? serverUser.role_mappings.role_mappings : []; const accessAllowed = isAccessAllowed(userTokens, resourceTokens); if (!accessAllowed) return HttpResponse.Forbidden(ctx, 'User does not have enough permissions, please contact admin');