Additional restrictions for non-elevated users in privacy mode

Author: TimCsaky

app/src/components/constants.js

@@ -24,6 +24,14 @@ module.exports = Object.freeze({
     NONE: 'NONE'
   },
 
+  /**
+   * In COMS 'strict mode', users specific with token idp's (eg: idir)
+   * are given additional permissions.
+  */
+  ElevatedIdps: [
+    'idir'
+  ],
+
   /** Default CORS settings used across the entire application */
   DEFAULTCORS: {
     /** Tells browsers to cache preflight requests for Access-Control-Max-Age seconds */

app/src/controllers/bucket.js

@@ -194,11 +194,24 @@ const controller = {
       await controller._validateCredentials(childBucket);
       childBucket.userId = await userService.getCurrentUserId(getCurrentIdentity(req.currentUser, SYSTEM_USER));
 
-      // assign all permissions
-      childBucket.permCodes = Object.values(Permissions);
+
+      // if non-elevated user, exclude MANAGE and DELETE permission
+      // ---------------------
+      // childBucket.permCodes = Object.values(Permissions);
 
       // Create child bucket
       const response = await bucketService.create(childBucket);
+
+
+      /**
+       * copy all permissions from parent to child
+       * exclude MANAGE and DELETE of external users
+       *
+       * we also need a migration to give top-level bucket creator, if idir, the MANAGE permission on all sub-folders.
+       * or use the recursive sync flow
+       */
+
+
       res.status(201).json(redactSecrets(response, secretFields));
     } catch (e) {
       next(errorToProblem(SERVICE, e));

app/src/middleware/authorization.js

@@ -1,7 +1,7 @@
 const Problem = require('api-problem');
 
 const log = require('../components/log')(module.filename);
-const { AuthMode, AuthType, Permissions } = require('../components/constants');
+const { AuthMode, AuthType, Permissions, ElevatedIdps } = require('../components/constants');
 const {
   getAppAuthMode,
   getCurrentIdentity,
@@ -223,7 +223,7 @@ const restrictNonIdirUserSearch = async (req, _res, next) => {
   try {
     if (getConfigBoolean('server.privacyMask') &&
       req.currentUser.authType === AuthType.BEARER &&
-      req.currentUser.tokenPayload.identity_provider !== 'idir' &&
+      !ElevatedIdps.includes(req.currentUser.tokenPayload.identity_provider) &&
       !hasOnlyPermittedKeys(req.query, ['email', 'userId', 'identityId'])
     ) {
       throw new Error('User lacks permission to complete this action');
@@ -243,10 +243,66 @@ const restrictNonIdirUserSearch = async (req, _res, next) => {
 
   next();
 };
+
+/**
+ * If privacyMask (soon to be renamed as 'strictMode' to support additional feature restroctions)
+ * is true and request is from a non-idir user, throw a permission error
+ */
+const checkElevatedUser = async (req, _res, next) => {
+  try {
+    if (getConfigBoolean('server.privacyMask') &&
+      req.currentUser.authType === AuthType.BEARER &&
+      !ElevatedIdps.includes(req.currentUser.tokenPayload.identity_provider)) {
+      throw new Error('User lacks permission to complete this action');
+    }
+  }
+  catch (err) {
+    log.verbose(err.message, { function: 'checkElevatedUser' });
+    return next(new Problem(403, {
+      detail: err.message,
+      instance: req.originalUrl
+    }));
+  }
   next();
 };
 
+/**
+ * If 'strict mode' is enabled
+ * deny non-elevated user's the MANAGE and DELETE permission
+ *  probably not going to bother with this. just block making folder public
+ */
+// const checkGrantingPermittedPermissions = async (req, _res, next) => {
+//   try {
+//     if (getConfigBoolean('server.privacyMask')) {
+//       // check if subject is a non-elevated user
+//       const managePerms = req.body
+//         .map(p => ({ ...p, permCode: p.permCode.toUpperCase().trim() }))
+//         .filter(obj => obj.permCode === Permissions.MANAGE || obj.permCode === Permissions.DELETE);
+//       for (const perm of managePerms) {
+//         const user = await userService.readUser(perm.userId);
+//         if (!ElevatedIdps.includes(user.idp)) {
+//           throw new Error(`Subject is not permitted to have ${perm.permCode} permission`);
+//         }
+//       }
+//     }
+//   }
+//   catch (err) {
+//     log.verbose(err.message, { function: 'checkGrantingPermittedPermissions' });
+//     return next(new Problem(403, {
+//       detail: err.message,
+//       instance: req.originalUrl
+//     }));
+//   }
+//   next();
+// };
+
 module.exports = {
+  _checkPermission,
+  checkAppMode,
+  checkS3BasicAccess,
+  currentObject,
+  hasPermission,
   restrictNonIdirUserSearch,
-  isElevatedUser
+  checkElevatedUser,
+  // checkGrantingPermittedPermissions
 };

app/src/routes/v1/bucket.js

@@ -6,7 +6,12 @@ const { isTruthy } = require('../../components/utils');
 const { bucketController, syncController } = require('../../controllers');
 const { bucketValidator } = require('../../validators');
 const { requireSomeAuth } = require('../../middleware/featureToggle');
-const { checkAppMode, hasPermission, checkS3BasicAccess } = require('../../middleware/authorization');
+const {
+  checkAppMode,
+  hasPermission,
+  checkS3BasicAccess,
+  checkElevatedUser
+} = require('../../middleware/authorization');
 
 router.use(checkAppMode);
 router.use(requireSomeAuth);
@@ -16,6 +21,7 @@ router.put('/',
   express.json(),
   bucketValidator.createBucket,
   checkS3BasicAccess,
+  checkElevatedUser,
   (req, res, next) => {
     bucketController.createBucket(req, res, next);
   });
@@ -55,6 +61,7 @@ router.patch('/:bucketId',
   express.json(),
   bucketValidator.updateBucket,
   checkS3BasicAccess,
+  checkElevatedUser,
   hasPermission(Permissions.MANAGE),
   (req, res, next) => {
     bucketController.updateBucket(req, res, next);
@@ -65,17 +72,22 @@ router.patch('/:bucketId',
 router.delete('/:bucketId',
   bucketValidator.deleteBucket,
   checkS3BasicAccess,
+  checkElevatedUser,
   hasPermission(Permissions.DELETE),
   (req, res, next) => {
     bucketController.deleteBucket(req, res, next);
   });
 
-/** Creates a child bucket */
+/**
+ * Creates a child bucket
+ * Note: operation requires CREATE permission on parent
+ * */
 router.put('/:bucketId/child',
   express.json(),
   bucketValidator.createBucketChild,
   checkS3BasicAccess,
-  hasPermission(Permissions.MANAGE),
+  checkElevatedUser,
+  hasPermission(Permissions.CREATE),
   (req, res, next) => {
     bucketController.createBucketChild(req, res, next);
   }
@@ -94,6 +106,7 @@ router.get('/:bucketId/sync',
     if (isTruthy(req.query.recursive)) next();
     else next('route');
   },
+  checkElevatedUser,
   hasPermission(Permissions.MANAGE),
   (req, res, next) => syncController.syncBucketRecursive(req, res, next));
 

app/src/routes/v1/object.js

@@ -4,7 +4,13 @@ const helmet = require('helmet');
 const { Permissions } = require('../../components/constants');
 const { objectController, syncController } = require('../../controllers');
 const { objectValidator } = require('../../validators');
-const { checkAppMode, checkS3BasicAccess, currentObject, hasPermission } = require('../../middleware/authorization');
+const {
+  checkAppMode,
+  checkS3BasicAccess,
+  currentObject,
+  hasPermission,
+  checkElevatedUser
+} = require('../../middleware/authorization');
 const { requireSomeAuth } = require('../../middleware/featureToggle');
 const { currentUpload } = require('../../middleware/upload');
 
@@ -110,6 +116,7 @@ router.get('/:objectId/version',
 
 /** creates a new version of an object using either a specified version or latest as the source */
 router.put('/:objectId/version',
+  requireSomeAuth,
   objectValidator.copyVersion,
   currentObject,
   checkS3BasicAccess,
@@ -124,6 +131,7 @@ router.patch('/:objectId/public',
   objectValidator.togglePublic,
   currentObject,
   checkS3BasicAccess,
+  checkElevatedUser,
   hasPermission(Permissions.MANAGE),
   (req, res, next) => {
     objectController.togglePublic(req, res, next);
@@ -202,7 +210,7 @@ router.put('/:objectId/tagging',
   }
 );
 
-/** Add tags to an object */
+/** Delete tags from an object */
 router.delete('/:objectId/tagging',
   requireSomeAuth,
   objectValidator.deleteTags,

app/src/routes/v1/permission/bucketPermission.js

@@ -4,7 +4,14 @@ const router = express.Router();
 const { Permissions } = require('../../../components/constants');
 const { bucketPermissionController } = require('../../../controllers');
 const { bucketPermissionValidator } = require('../../../validators');
-const { checkAppMode, currentObject, checkS3BasicAccess, hasPermission } = require('../../../middleware/authorization');
+const {
+  checkAppMode,
+  currentObject,
+  checkS3BasicAccess,
+  hasPermission,
+  checkElevatedUser,
+  // checkGrantingPermittedPermissions
+} = require('../../../middleware/authorization');
 const { requireSomeAuth } = require('../../../middleware/featureToggle');
 
 router.use(checkAppMode);
@@ -35,6 +42,9 @@ router.put('/:bucketId',
   bucketPermissionValidator.addPermissions,
   currentObject,
   checkS3BasicAccess,
+  checkElevatedUser,
+  // probably not going to bother with this. just block making folder public
+  // checkGrantingPermittedPermissions,
   hasPermission(Permissions.MANAGE),
   (req, res, next) => {
     bucketPermissionController.addPermissions(req, res, next);
@@ -46,6 +56,7 @@ router.delete('/:bucketId',
   bucketPermissionValidator.removePermissions,
   currentObject,
   checkS3BasicAccess,
+  checkElevatedUser,
   hasPermission(Permissions.MANAGE),
   (req, res, next) => {
     bucketPermissionController.removePermissions(req, res, next);

app/src/routes/v1/permission/invite.js

@@ -3,7 +3,7 @@ const router = express.Router();
 
 const { inviteController } = require('../../../controllers');
 const { inviteValidator } = require('../../../validators');
-const { checkS3BasicAccess } = require('../../../middleware/authorization');
+const { checkS3BasicAccess, checkElevatedUser } = require('../../../middleware/authorization');
 const { requireBearerAuth, requireSomeAuth } = require('../../../middleware/featureToggle');
 
 router.use(requireSomeAuth);
@@ -13,6 +13,7 @@ router.post('/',
   express.json(),
   inviteValidator.createInvite,
   checkS3BasicAccess,
+  checkElevatedUser,
   (req, res, next) => {
     inviteController.createInvite(req, res, next);
   });

app/src/routes/v1/permission/objectPermission.js

@@ -4,7 +4,14 @@ const router = express.Router();
 const { Permissions } = require('../../../components/constants');
 const { objectPermissionController } = require('../../../controllers');
 const { objectPermissionValidator } = require('../../../validators');
-const { checkAppMode, currentObject, checkS3BasicAccess, hasPermission } = require('../../../middleware/authorization');
+const {
+  checkAppMode,
+  currentObject,
+  checkS3BasicAccess,
+  hasPermission,
+  checkElevatedUser,
+  // checkGrantingPermittedPermissions
+} = require('../../../middleware/authorization');
 const { requireSomeAuth } = require('../../../middleware/featureToggle');
 
 router.use(checkAppMode);
@@ -35,6 +42,8 @@ router.put('/:objectId',
   objectPermissionValidator.addPermissions,
   currentObject,
   checkS3BasicAccess,
+  checkElevatedUser,
+  // checkGrantingPermittedPermissions,
   hasPermission(Permissions.MANAGE),
   (req, res, next) => {
     objectPermissionController.addPermissions(req, res, next);
@@ -46,6 +55,7 @@ router.delete('/:objectId',
   objectPermissionValidator.removePermissions,
   currentObject,
   checkS3BasicAccess,
+  checkElevatedUser,
   hasPermission(Permissions.MANAGE),
   (req, res, next) => {
     objectPermissionController.removePermissions(req, res, next);

app/src/services/bucketPermission.js

@@ -33,12 +33,12 @@ const service = {
       const currentPerms = await service.searchPermissions({ bucketId });
       const obj = data
         // Ensure all codes are upper cased
-        .map(p => ({ ...p, code: p.permCode.toUpperCase().trim() }))
+        .map(p => ({ ...p, permCode: p.permCode.toUpperCase().trim() }))
         // Filter out any invalid code values
         .filter(p => Object.values(Permissions).some(perm => perm === p.permCode))
         // Filter entry tuples that already exist
         .filter(p => !currentPerms.some(cp => cp.userId === p.userId && cp.permCode === p.permCode))
-        // Create DB buckets to insert
+        // Create DB records to insert
         .map(p => ({
           id: uuidv4(),
           userId: p.userId,