From 8ca8dd17cea26c574f29fbf6d3d9f2432f4ccec1 Mon Sep 17 00:00:00 2001 From: Alan Malta Rodrigues Date: Tue, 21 Jun 2022 21:50:13 -0400 Subject: [PATCH] remove all the CMS authz logic from the CouchDB validate functions --- src/couchapps/ACDC/validate_doc_update.js | 46 ------------------ src/couchapps/LogDB/validate_doc_update.js | 45 ------------------ src/couchapps/ReqMgr/validate_doc_update.js | 45 ------------------ .../ReqMgrAux/validate_doc_update.js | 43 ----------------- .../T0Request/validate_doc_update.js | 47 +------------------ src/couchapps/WMStats/validate_doc_update.js | 43 ----------------- .../WMStatsAgent/validate_doc_update.js | 32 ------------- .../WorkQueue/validate_doc_update.js | 17 ------- .../WorkloadSummary/validate_doc_update.js | 24 ++-------- .../couchskel/validate_doc_update.js | 41 ---------------- 10 files changed, 4 insertions(+), 379 deletions(-) diff --git a/src/couchapps/ACDC/validate_doc_update.js b/src/couchapps/ACDC/validate_doc_update.js index 72233b551f..f063b89883 100644 --- a/src/couchapps/ACDC/validate_doc_update.js +++ b/src/couchapps/ACDC/validate_doc_update.js @@ -6,50 +6,4 @@ function(newDoc, oldDoc, userCtx) { delet : 2 }; var docOp = oldDoc ? (newDoc._deleted === true ? DOCOPS.delet : DOCOPS.modif) : DOCOPS.creat; - - // Function to get the user list of site/groups for the given role - var getRole = function(role) { - var roles = userCtx.roles; - for (i in roles) { - if ( typeof (roles[i]) == "object" && roles[i][0] === role) - return roles[i][1]; - // Request comes from backend auth handler - if ( typeof (roles[i]) == "string" && roles[i] === role) - return []; - // Request comes from other handlers (i.e. host auth) - } - return null; - } - // Function to check if user has the role for a given group or site - var matchesRole = function(role, grpsite) { - var r = getRole(role); - if (r != null) - if (grpsite === "" || r.indexOf(grpsite) != -1) - return true; - return false; - } - // Gets whether the user is a global admin - // name=null means requests coming from the local replicator, so we must allow - // (the cms couch auth does not allow name=null, so it affects only internal - // replication requests) - var isGlobalAdm = (userCtx.name === null) || - matchesRole("_admin", "") || - matchesRole("-admin", "group:couchdb"); - - //--------------------------------- - // Authorization rules for Myapp DB - - // The following rule aplies for all operation types - var allowed = isGlobalAdm || - matchesRole("admin", "group:reqmgr") || - matchesRole("web-service", "group:facops") || - matchesRole("production-operator", "group:dataops"); - - // Throw if user not validated - if (!allowed) { - log(toJSON(userCtx)); - throw { - forbidden : "User not authorized for action." - }; - } } diff --git a/src/couchapps/LogDB/validate_doc_update.js b/src/couchapps/LogDB/validate_doc_update.js index d216f89d63..f4bb1e671d 100644 --- a/src/couchapps/LogDB/validate_doc_update.js +++ b/src/couchapps/LogDB/validate_doc_update.js @@ -3,49 +3,4 @@ function(newDoc, oldDoc, userCtx) { var DOCOPS = { modif:0, creat:1, delet:2 }; var docOp = oldDoc ? (newDoc._deleted === true ? DOCOPS.delet : DOCOPS.modif) : DOCOPS.creat; - - // Function to get the user list of site/groups for the given role - var getRole = function(role) { - var roles = userCtx.roles; - for (i in roles) { - if(typeof(roles[i]) == "object" && roles[i][0] === role) - return roles[i][1]; // Request comes from backend auth handler - if(typeof(roles[i]) == "string" && roles[i] === role) - return []; // Request comes from other handlers (i.e. host auth) - } - return null; - } - - // Function to check if user has the role for a given group or site - var matchesRole = function(role, grpsite) { - var r = getRole(role); - if (r != null) - if (grpsite === "" || r.indexOf(grpsite) != -1) - return true; - return false; - } - - // Gets whether the user is a global admin - // name=null means requests coming from the local replicator, so we must allow - // (the cms couch auth does not allow name=null, so it affects only internal - // replication requests) - var isGlobalAdm = (userCtx.name === null) - || matchesRole("admin", "") - || matchesRole("_admin", "") - || matchesRole("-admin", "group:couchdb"); - - //--------------------------------- - // Authorization rules for Myapp DB - - // The following rule aplies for all operation types - var allowed = isGlobalAdm || matchesRole("admin", "group:reqmgr") - || matchesRole("web-service", "group:facops") - || matchesRole("t0-operator","group:dataops") - || matchesRole("production-operator", "group:dataops"); - - // Throw if user not validated - if(!allowed) { - log(toJSON(userCtx)); - throw {forbidden: "User not authorized for action."}; - } } diff --git a/src/couchapps/ReqMgr/validate_doc_update.js b/src/couchapps/ReqMgr/validate_doc_update.js index 6bff8fa986..f4bb1e671d 100644 --- a/src/couchapps/ReqMgr/validate_doc_update.js +++ b/src/couchapps/ReqMgr/validate_doc_update.js @@ -3,49 +3,4 @@ function(newDoc, oldDoc, userCtx) { var DOCOPS = { modif:0, creat:1, delet:2 }; var docOp = oldDoc ? (newDoc._deleted === true ? DOCOPS.delet : DOCOPS.modif) : DOCOPS.creat; - - // Function to get the user list of site/groups for the given role - var getRole = function(role) { - var roles = userCtx.roles; - for (i in roles) { - if(typeof(roles[i]) == "object" && roles[i][0] === role) - return roles[i][1]; // Request comes from backend auth handler - if(typeof(roles[i]) == "string" && roles[i] === role) - return []; // Request comes from other handlers (i.e. host auth) - } - return null; - } - - // Function to check if user has the role for a given group or site - var matchesRole = function(role, grpsite) { - var r = getRole(role); - if (r != null) - if (grpsite === "" || r.indexOf(grpsite) != -1) - return true; - return false; - } - - // Gets whether the user is a global admin - // name=null means requests coming from the local replicator, so we must allow - // (the cms couch auth does not allow name=null, so it affects only internal - // replication requests) - var isGlobalAdm = (userCtx.name === null) - || matchesRole("admin", "") - || matchesRole("_admin", "") - || matchesRole("-admin", "group:couchdb"); - - //--------------------------------- - // Authorization rules for Myapp DB - - // The following rule aplies for all operation types - var allowed = isGlobalAdm || matchesRole("admin", "group:reqmgr") - || matchesRole("data-manager", "group:reqmgr") - || matchesRole("web-service", "group:facops") - || matchesRole("production-operator", "group:dataops"); - - // Throw if user not validated - if(!allowed) { - log(toJSON(userCtx)); - throw {forbidden: "User not authorized for action."}; - } } diff --git a/src/couchapps/ReqMgrAux/validate_doc_update.js b/src/couchapps/ReqMgrAux/validate_doc_update.js index 24b240ea4a..e5749acae4 100644 --- a/src/couchapps/ReqMgrAux/validate_doc_update.js +++ b/src/couchapps/ReqMgrAux/validate_doc_update.js @@ -3,47 +3,4 @@ function(newDoc, oldDoc, userCtx) { var DOCOPS = { modif:0, creat:1, delet:2 }; var docOp = oldDoc ? (newDoc._deleted === true ? DOCOPS.delet : DOCOPS.modif) : DOCOPS.creat; - - // Function to get the user list of site/groups for the given role - var getRole = function(role) { - var roles = userCtx.roles; - for (i in roles) { - if(typeof(roles[i]) == "object" && roles[i][0] === role) - return roles[i][1]; // Request comes from backend auth handler - if(typeof(roles[i]) == "string" && roles[i] === role) - return []; // Request comes from other handlers (i.e. host auth) - } - return null; - } - - // Function to check if user has the role for a given group or site - var matchesRole = function(role, grpsite) { - var r = getRole(role); - if (r != null) - if (grpsite === "" || r.indexOf(grpsite) != -1) - return true; - return false; - } - - // Gets whether the user is a global admin - // name=null means requests coming from the local replicator, so we must allow - // (the cms couch auth does not allow name=null, so it affects only internal - // replication requests) - var isGlobalAdm = (userCtx.name === null) - || matchesRole("_admin", "") - || matchesRole("-admin", "group:couchdb"); - - //--------------------------------- - // Authorization rules for Myapp DB - - // The following rule aplies for all operation types - var allowed = isGlobalAdm || matchesRole("admin", "group:reqmgr") - || matchesRole("web-service", "group:facops") - || matchesRole("production-operator", "group:dataops"); - - // Throw if user not validated - if(!allowed) { - log(toJSON(userCtx)); - throw {forbidden: "User not authorized for action."}; - } } \ No newline at end of file diff --git a/src/couchapps/T0Request/validate_doc_update.js b/src/couchapps/T0Request/validate_doc_update.js index ea4862dde7..e5749acae4 100644 --- a/src/couchapps/T0Request/validate_doc_update.js +++ b/src/couchapps/T0Request/validate_doc_update.js @@ -3,49 +3,4 @@ function(newDoc, oldDoc, userCtx) { var DOCOPS = { modif:0, creat:1, delet:2 }; var docOp = oldDoc ? (newDoc._deleted === true ? DOCOPS.delet : DOCOPS.modif) : DOCOPS.creat; - - // Function to get the user list of site/groups for the given role - var getRole = function(role) { - var roles = userCtx.roles; - for (i in roles) { - if(typeof(roles[i]) == "object" && roles[i][0] === role) - return roles[i][1]; // Request comes from backend auth handler - if(typeof(roles[i]) == "string" && roles[i] === role) - return []; // Request comes from other handlers (i.e. host auth) - } - return null; - }; - - // Function to check if user has the role for a given group or site - var matchesRole = function(role, grpsite) { - var r = getRole(role); - if (r != null) - if (grpsite === "" || r.indexOf(grpsite) != -1) - return true; - return false; - }; - - // Gets whether the user is a global admin - // name=null means requests coming from the local replicator, so we must allow - // (the cms couch auth does not allow name=null, so it affects only internal - // replication requests) - var isGlobalAdm = (userCtx.name === null) - || matchesRole("admin", "") - || matchesRole("_admin", "") - || matchesRole("-admin", "group:couchdb"); - - //--------------------------------- - // Authorization rules for Myapp DB - - // The following rule aplies for all operation types - var allowed = isGlobalAdm || matchesRole("admin", "group:reqmgr") - || matchesRole("web-service", "group:facops") - || matchesRole("t0-operator","group:dataops") - || matchesRole("production-operator", "group:dataops"); - - // Throw if user not validated - if(!allowed) { - log(toJSON(userCtx)); - throw {forbidden: "User not authorized for action."}; - } -}; \ No newline at end of file +} \ No newline at end of file diff --git a/src/couchapps/WMStats/validate_doc_update.js b/src/couchapps/WMStats/validate_doc_update.js index ab6d0174ae..c7d2d3879a 100644 --- a/src/couchapps/WMStats/validate_doc_update.js +++ b/src/couchapps/WMStats/validate_doc_update.js @@ -7,47 +7,4 @@ function(newDoc, oldDoc, userCtx) { if (newDoc._deleted === true && !oldDoc) { throw({forbidden: 'Do not create deleted docs'}); } - - // Function to get the user list of site/groups for the given role - var getRole = function(role) { - var roles = userCtx.roles; - for (i in roles) { - if(typeof(roles[i]) == "object" && roles[i][0] === role) - return roles[i][1]; // Request comes from backend auth handler - if(typeof(roles[i]) == "string" && roles[i] === role) - return []; // Request comes from other handlers (i.e. host auth) - } - return null; - }; - // Function to check if user has the role for a given group or site - var matchesRole = function(role, grpsite) { - var r = getRole(role); - if (r != null) - if (grpsite === "" || r.indexOf(grpsite) != -1) - return true; - return false; - }; - - // Gets whether the user is a global admin - // name=null means requests coming from the local replicator, so we must allow - // (the cms couch auth does not allow name=null, so it affects only internal - // replication requests) - var isGlobalAdm = (userCtx.name === null) - || matchesRole("admin","") - || matchesRole("_admin","") - || matchesRole("-admin","group:couchdb"); - - //--------------------------------- - // Authorization rules for Myapp DB - - // The following rule aplies for all operation types - var allowed = isGlobalAdm || matchesRole("web-service","group:facops") - || matchesRole("t0-operator","group:dataops") - || matchesRole("production-operator","group:dataops"); - - // Throw if user not validated - if(!allowed) { - log(toJSON(userCtx)); - throw {forbidden: "User not authorized for action."}; - } } diff --git a/src/couchapps/WMStatsAgent/validate_doc_update.js b/src/couchapps/WMStatsAgent/validate_doc_update.js index 2735298ccc..0a9781791e 100644 --- a/src/couchapps/WMStatsAgent/validate_doc_update.js +++ b/src/couchapps/WMStatsAgent/validate_doc_update.js @@ -7,36 +7,4 @@ function(newDoc, oldDoc, userCtx) { if (newDoc._deleted === true && !oldDoc) { throw({forbidden: 'Do not create deleted docs'}); } - - // Function to get the user list of site/groups for the given role - var getRole = function(role) { - var roles = userCtx.roles; - for (i in roles) { - if(typeof(roles[i]) == "object" && roles[i][0] === role) - return roles[i][1]; // Request comes from backend auth handler - if(typeof(roles[i]) == "string" && roles[i] === role) - return []; // Request comes from other handlers (i.e. host auth) - } - return null; - }; - // Function to check if user has the role for a given group or site - var matchesRole = function(role, grpsite) { - var r = getRole(role); - if (r != null) - if (grpsite === "" || r.indexOf(grpsite) != -1) - return true; - return false; - }; - - // Gets whether the user is a global admin - // name=null means requests coming from the local replicator, so we must allow - // (the cms couch auth does not allow name=null, so it affects only internal - // replication requests) - var allowed = (userCtx.name === null) || matchesRole("_admin",""); - - // Throw if user not validated - if(!allowed) { - log(toJSON(userCtx)); - throw {forbidden: "User not authorized for action."}; - } } \ No newline at end of file diff --git a/src/couchapps/WorkQueue/validate_doc_update.js b/src/couchapps/WorkQueue/validate_doc_update.js index 538b9990ad..ca12b0162a 100644 --- a/src/couchapps/WorkQueue/validate_doc_update.js +++ b/src/couchapps/WorkQueue/validate_doc_update.js @@ -5,21 +5,4 @@ function(newDoc, oldDoc, userCtx) { throw({forbidden: 'Do not create deleted docs'}); } - var validation = require("lib/validate").init(newDoc, oldDoc, userCtx); - - // Admins can do anything - if (validation.isAdmin()) { - return true; - } - - // Either Developer or DataOps Operator/Manager required - if (validation.hasGroupRole("dataops", "developer") || - validation.hasGroupRole("dataops", "production-operator") || - validation.hasGroupRole("facops", "web-service")) { - return true; - } - - // authentication failed - log("Authentication failed: " + toJSON(userCtx)); - throw {forbidden: "User not validated for action"}; } diff --git a/src/couchapps/WorkloadSummary/validate_doc_update.js b/src/couchapps/WorkloadSummary/validate_doc_update.js index b43479d198..9da111af91 100644 --- a/src/couchapps/WorkloadSummary/validate_doc_update.js +++ b/src/couchapps/WorkloadSummary/validate_doc_update.js @@ -2,25 +2,7 @@ function(newDoc, oldDoc, userCtx) { // We only care if the user is someone with the correct permissions // there is no difference between creating a new doc or updating an old one - var validation = require("lib/validate").init(newDoc, oldDoc, userCtx); - - // Gets whether the user is a global admin - // name=null means requests coming from the local replicator, so we must allow - // (the cms couch auth does not allow name=null, so it affects only internal requests) - var isGlobalAdm = (userCtx.name === null) - - // Admins can do anything - if (validation.isAdmin() || isGlobalAdm) { - return true; - } - - // Either Developer or DataOps Operator/Manager required - if (validation.hasGroupRole("dataops", "developer") || - validation.hasGroupRole("dataops", "production-operator")) { - return true; - } - - // authentication failed - log("Authentication failed: " + toJSON(userCtx)); - throw {forbidden: "User not validated for action"}; + if (newDoc._deleted === true && !oldDoc) { + throw({forbidden: 'Do not create deleted docs'}); + } } diff --git a/src/couchapps/couchskel/validate_doc_update.js b/src/couchapps/couchskel/validate_doc_update.js index c11734d6be..f4bb1e671d 100644 --- a/src/couchapps/couchskel/validate_doc_update.js +++ b/src/couchapps/couchskel/validate_doc_update.js @@ -3,45 +3,4 @@ function(newDoc, oldDoc, userCtx) { var DOCOPS = { modif:0, creat:1, delet:2 }; var docOp = oldDoc ? (newDoc._deleted === true ? DOCOPS.delet : DOCOPS.modif) : DOCOPS.creat; - - // Function to get the user list of site/groups for the given role - var getRole = function(role) { - var roles = userCtx.roles; - for (i in roles) { - if(typeof(roles[i]) == "object" && roles[i][0] === role) - return roles[i][1]; // Request comes from backend auth handler - if(typeof(roles[i]) == "string" && roles[i] === role) - return []; // Request comes from other handlers (i.e. host auth) - } - return null; - } - - // Function to check if user has the role for a given group or site - var matchesRole = function(role, grpsite) { - var r = getRole(role); - if (r != null) - if (grpsite === "" || r.indexOf(grpsite) != -1) - return true; - return false; - } - - // Gets whether the user is a global admin - // name=null means requests coming from the local replicator, so we must allow - // (the cms couch auth does not allow name=null, so it affects only internal - // replication requests) - var isGlobalAdm = (userCtx.name === null) - || matchesRole("_admin","") - || matchesRole("-admin","group:couchdb"); - - //--------------------------------- - // Authorization rules for Myapp DB - - // The following rule aplies for all operation types - var allowed = isGlobalAdm || matchesRole("operator","group:myapp"); - - // Throw if user not validated - if(!allowed) { - log(toJSON(userCtx)); - throw {forbidden: "User not authorized for action."}; - } }