remove all the CMS authz logic from the CouchDB validate functions

src/couchapps/ACDC/validate_doc_update.js

@@ -6,50 +6,4 @@ function(newDoc, oldDoc, userCtx) {
         delet : 2
     };
     var docOp = oldDoc ? (newDoc._deleted === true ? DOCOPS.delet : DOCOPS.modif) : DOCOPS.creat;
-
-    // Function to get the user list of site/groups for the given role
-    var getRole = function(role) {
-        var roles = userCtx.roles;
-        for (i in roles) {
-            if ( typeof (roles[i]) == "object" && roles[i][0] === role)
-                return roles[i][1];
-            // Request comes from backend auth handler
-            if ( typeof (roles[i]) == "string" && roles[i] === role)
-                return [];
-            // Request comes from other handlers (i.e. host auth)
-        }
-        return null;
-    }
-    // Function to check if user has the role for a given group or site
-    var matchesRole = function(role, grpsite) {
-        var r = getRole(role);
-        if (r != null)
-            if (grpsite === "" || r.indexOf(grpsite) != -1)
-                return true;
-        return false;
-    }
-    // Gets whether the user is a global admin
-    // name=null means requests coming from the local replicator, so we must allow
-    // (the cms couch auth does not allow name=null, so it affects only internal
-    // replication requests)
-    var isGlobalAdm = (userCtx.name === null) ||
-                      matchesRole("_admin", "") ||
-                      matchesRole("-admin", "group:couchdb");
-
-    //---------------------------------
-    // Authorization rules for Myapp DB
-
-    // The following rule aplies for all operation types
-    var allowed = isGlobalAdm ||
-                  matchesRole("admin", "group:reqmgr") ||
-                  matchesRole("web-service", "group:facops") ||
-                  matchesRole("production-operator", "group:dataops");
-
-    // Throw if user not validated
-    if (!allowed) {
-        log(toJSON(userCtx));
-        throw {
-            forbidden : "User not authorized for action."
-        };
-    }
 }

src/couchapps/LogDB/validate_doc_update.js

@@ -3,49 +3,4 @@ function(newDoc, oldDoc, userCtx) {
    var DOCOPS = { modif:0, creat:1, delet:2 };
    var docOp = oldDoc ? (newDoc._deleted === true ? DOCOPS.delet : DOCOPS.modif)
                       : DOCOPS.creat;
-
-   // Function to get the user list of site/groups for the given role
-   var getRole = function(role) {
-      var roles = userCtx.roles;
-      for (i in roles) {
-         if(typeof(roles[i]) == "object" && roles[i][0] === role)
-            return roles[i][1]; // Request comes from backend auth handler
-         if(typeof(roles[i]) == "string" && roles[i] === role)
-            return []; // Request comes from other handlers (i.e. host auth)
-      }
-      return null;
-   }
-
-   // Function to check if user has the role for a given group or site
-   var matchesRole = function(role, grpsite) {
-      var r = getRole(role);
-      if (r != null)
-         if (grpsite === "" || r.indexOf(grpsite) != -1)
-            return true;
-      return false;
-   }
-
-   // Gets whether the user is a global admin
-   // name=null means requests coming from the local replicator, so we must allow
-   // (the cms couch auth does not allow name=null, so it affects only internal
-   // replication requests)
-   var isGlobalAdm = (userCtx.name === null)
-                     || matchesRole("admin", "")
-                     || matchesRole("_admin", "")
-                     || matchesRole("-admin", "group:couchdb");
-
-   //---------------------------------
-   // Authorization rules for Myapp DB
-
-   // The following rule aplies for all operation types
-   var allowed = isGlobalAdm || matchesRole("admin", "group:reqmgr")
-                             || matchesRole("web-service", "group:facops")
-                             || matchesRole("t0-operator","group:dataops")
-                             || matchesRole("production-operator", "group:dataops");
-
-   // Throw if user not validated
-   if(!allowed) {
-      log(toJSON(userCtx));
-      throw {forbidden: "User not authorized for action."};
-   }
 }

src/couchapps/ReqMgr/validate_doc_update.js

@@ -3,49 +3,4 @@ function(newDoc, oldDoc, userCtx) {
    var DOCOPS = { modif:0, creat:1, delet:2 };
    var docOp = oldDoc ? (newDoc._deleted === true ? DOCOPS.delet : DOCOPS.modif)
                       : DOCOPS.creat;
-
-   // Function to get the user list of site/groups for the given role
-   var getRole = function(role) {
-      var roles = userCtx.roles;
-      for (i in roles) {
-         if(typeof(roles[i]) == "object" && roles[i][0] === role)
-            return roles[i][1]; // Request comes from backend auth handler
-         if(typeof(roles[i]) == "string" && roles[i] === role)
-            return []; // Request comes from other handlers (i.e. host auth)
-      }
-      return null;
-   }
-
-   // Function to check if user has the role for a given group or site
-   var matchesRole = function(role, grpsite) {
-      var r = getRole(role);
-      if (r != null)
-         if (grpsite === "" || r.indexOf(grpsite) != -1)
-            return true;
-      return false;
-   }
-
-   // Gets whether the user is a global admin
-   // name=null means requests coming from the local replicator, so we must allow
-   // (the cms couch auth does not allow name=null, so it affects only internal
-   // replication requests)
-   var isGlobalAdm = (userCtx.name === null)
-                     || matchesRole("admin", "")
-                     || matchesRole("_admin", "")
-                     || matchesRole("-admin", "group:couchdb");
-
-   //---------------------------------
-   // Authorization rules for Myapp DB
-
-   // The following rule aplies for all operation types
-   var allowed = isGlobalAdm || matchesRole("admin", "group:reqmgr")
-                             || matchesRole("data-manager", "group:reqmgr")
-                             || matchesRole("web-service", "group:facops")
-                             || matchesRole("production-operator", "group:dataops");
-
-   // Throw if user not validated
-   if(!allowed) {
-      log(toJSON(userCtx));
-      throw {forbidden: "User not authorized for action."};
-   }
 }

src/couchapps/ReqMgrAux/validate_doc_update.js

@@ -3,47 +3,4 @@ function(newDoc, oldDoc, userCtx) {
    var DOCOPS = { modif:0, creat:1, delet:2 };
    var docOp = oldDoc ? (newDoc._deleted === true ? DOCOPS.delet : DOCOPS.modif)
                       : DOCOPS.creat;
-
-   // Function to get the user list of site/groups for the given role
-   var getRole = function(role) {
-      var roles = userCtx.roles;
-      for (i in roles) {
-         if(typeof(roles[i]) == "object" && roles[i][0] === role)
-            return roles[i][1]; // Request comes from backend auth handler
-         if(typeof(roles[i]) == "string" && roles[i] === role)
-            return []; // Request comes from other handlers (i.e. host auth)
-      }
-      return null;
-   }
-
-   // Function to check if user has the role for a given group or site
-   var matchesRole = function(role, grpsite) {
-      var r = getRole(role);
-      if (r != null)
-         if (grpsite === "" || r.indexOf(grpsite) != -1)
-            return true;
-      return false;
-   }
-
-   // Gets whether the user is a global admin
-   // name=null means requests coming from the local replicator, so we must allow
-   // (the cms couch auth does not allow name=null, so it affects only internal
-   // replication requests)
-   var isGlobalAdm = (userCtx.name === null)
-                     || matchesRole("_admin", "")
-                     || matchesRole("-admin", "group:couchdb");
-
-   //---------------------------------
-   // Authorization rules for Myapp DB
-
-   // The following rule aplies for all operation types
-   var allowed = isGlobalAdm || matchesRole("admin", "group:reqmgr")
-                             || matchesRole("web-service", "group:facops")
-                             || matchesRole("production-operator", "group:dataops");
-
-   // Throw if user not validated
-   if(!allowed) {
-      log(toJSON(userCtx));
-      throw {forbidden: "User not authorized for action."};
-   }
 }

src/couchapps/T0Request/validate_doc_update.js

@@ -3,49 +3,4 @@ function(newDoc, oldDoc, userCtx) {
    var DOCOPS = { modif:0, creat:1, delet:2 };
    var docOp = oldDoc ? (newDoc._deleted === true ? DOCOPS.delet : DOCOPS.modif)
                       : DOCOPS.creat;
-
-   // Function to get the user list of site/groups for the given role
-   var getRole = function(role) {
-      var roles = userCtx.roles;
-      for (i in roles) {
-         if(typeof(roles[i]) == "object" && roles[i][0] === role)
-            return roles[i][1]; // Request comes from backend auth handler
-         if(typeof(roles[i]) == "string" && roles[i] === role)
-            return []; // Request comes from other handlers (i.e. host auth)
-      }
-      return null;
-   };
-
-   // Function to check if user has the role for a given group or site
-   var matchesRole = function(role, grpsite) {
-      var r = getRole(role);
-      if (r != null)
-         if (grpsite === "" || r.indexOf(grpsite) != -1)
-            return true;
-      return false;
-   };
-
-   // Gets whether the user is a global admin
-   // name=null means requests coming from the local replicator, so we must allow
-   // (the cms couch auth does not allow name=null, so it affects only internal
-   // replication requests)
-   var isGlobalAdm = (userCtx.name === null)
-                     || matchesRole("admin", "")
-                     || matchesRole("_admin", "")
-                     || matchesRole("-admin", "group:couchdb");
-
-   //---------------------------------
-   // Authorization rules for Myapp DB
-
-   // The following rule aplies for all operation types
-   var allowed = isGlobalAdm || matchesRole("admin", "group:reqmgr")
-                             || matchesRole("web-service", "group:facops")
-                             || matchesRole("t0-operator","group:dataops")
-                             || matchesRole("production-operator", "group:dataops");
-
-   // Throw if user not validated
-   if(!allowed) {
-      log(toJSON(userCtx));
-      throw {forbidden: "User not authorized for action."};
-   }
-};
+}

src/couchapps/WMStats/validate_doc_update.js

@@ -7,47 +7,4 @@ function(newDoc, oldDoc, userCtx) {
    if (newDoc._deleted === true && !oldDoc) {
      throw({forbidden: 'Do not create deleted docs'});
    }
-
-   // Function to get the user list of site/groups for the given role
-   var getRole = function(role) {
-      var roles = userCtx.roles;
-      for (i in roles) {
-         if(typeof(roles[i]) == "object" && roles[i][0] === role)
-            return roles[i][1]; // Request comes from backend auth handler
-         if(typeof(roles[i]) == "string" && roles[i] === role)
-            return []; // Request comes from other handlers (i.e. host auth)
-      }
-      return null;
-   };
-   // Function to check if user has the role for a given group or site
-   var matchesRole = function(role, grpsite) {
-      var r = getRole(role);
-      if (r != null)
-         if (grpsite === "" || r.indexOf(grpsite) != -1)
-            return true;
-      return false;
-   };
-
-   // Gets whether the user is a global admin
-   // name=null means requests coming from the local replicator, so we must allow
-   // (the cms couch auth does not allow name=null, so it affects only internal
-   // replication requests)
-   var isGlobalAdm = (userCtx.name === null)
-                     || matchesRole("admin","")
-                     || matchesRole("_admin","")
-                     || matchesRole("-admin","group:couchdb");
-
-   //---------------------------------
-   // Authorization rules for Myapp DB
-
-   // The following rule aplies for all operation types
-   var allowed = isGlobalAdm || matchesRole("web-service","group:facops")
-                             || matchesRole("t0-operator","group:dataops")
-                             || matchesRole("production-operator","group:dataops");
-
-   // Throw if user not validated
-   if(!allowed) {
-      log(toJSON(userCtx));
-      throw {forbidden: "User not authorized for action."};
-   }
 }

src/couchapps/WMStatsAgent/validate_doc_update.js

@@ -7,36 +7,4 @@ function(newDoc, oldDoc, userCtx) {
    if (newDoc._deleted === true && !oldDoc) {
      throw({forbidden: 'Do not create deleted docs'});
    }
-
-   // Function to get the user list of site/groups for the given role
-   var getRole = function(role) {
-      var roles = userCtx.roles;
-      for (i in roles) {
-         if(typeof(roles[i]) == "object" && roles[i][0] === role)
-            return roles[i][1]; // Request comes from backend auth handler
-         if(typeof(roles[i]) == "string" && roles[i] === role)
-            return []; // Request comes from other handlers (i.e. host auth)
-      }
-      return null;
-   };
-   // Function to check if user has the role for a given group or site
-   var matchesRole = function(role, grpsite) {
-      var r = getRole(role);
-      if (r != null)
-         if (grpsite === "" || r.indexOf(grpsite) != -1)
-            return true;
-      return false;
-   };
-
-   // Gets whether the user is a global admin
-   // name=null means requests coming from the local replicator, so we must allow
-   // (the cms couch auth does not allow name=null, so it affects only internal
-   // replication requests)
-   var allowed = (userCtx.name === null) || matchesRole("_admin","");
-
-   // Throw if user not validated
-   if(!allowed) {
-      log(toJSON(userCtx));
-      throw {forbidden: "User not authorized for action."};
-   }
 }

src/couchapps/WorkQueue/validate_doc_update.js

@@ -5,21 +5,4 @@ function(newDoc, oldDoc, userCtx) {
       throw({forbidden: 'Do not create deleted docs'});
     }
 
-    var validation = require("lib/validate").init(newDoc, oldDoc, userCtx);
-
-    // Admins can do anything
-    if (validation.isAdmin()) {
-        return true;
-    }
-
-    // Either Developer or DataOps Operator/Manager required
-    if (validation.hasGroupRole("dataops", "developer") ||
-        validation.hasGroupRole("dataops", "production-operator") ||
-        validation.hasGroupRole("facops", "web-service")) {
-        return true;
-    }
-
-    // authentication failed
-    log("Authentication failed: " + toJSON(userCtx));
-    throw {forbidden: "User not validated for action"};
 }

src/couchapps/WorkloadSummary/validate_doc_update.js

@@ -2,25 +2,7 @@ function(newDoc, oldDoc, userCtx) {
     // We only care if the user is someone with the correct permissions
     // there is no difference between creating a new doc or updating an old one
 
-    var validation = require("lib/validate").init(newDoc, oldDoc, userCtx);
-
-    // Gets whether the user is a global admin
-    // name=null means requests coming from the local replicator, so we must allow
-    // (the cms couch auth does not allow name=null, so it affects only internal requests)
-    var isGlobalAdm = (userCtx.name === null)
-
-    // Admins can do anything
-    if (validation.isAdmin() || isGlobalAdm) {
-        return true;
-    }
-
-    // Either Developer or DataOps Operator/Manager required
-    if (validation.hasGroupRole("dataops", "developer") ||
-        validation.hasGroupRole("dataops", "production-operator")) {
-        return true;
-    }
-
-    // authentication failed
-    log("Authentication failed: " + toJSON(userCtx));
-    throw {forbidden: "User not validated for action"};
+   if (newDoc._deleted === true && !oldDoc) {
+     throw({forbidden: 'Do not create deleted docs'});
+   }
 }