From 12c2d252cf76c45bb8a2b457812540400465de3b Mon Sep 17 00:00:00 2001 From: Jannik Schönartz Date: Mon, 8 Jun 2020 00:31:55 +0000 Subject: [server] PM integration in all missing api-points but groups --- server/api/backends.js | 1 - server/api/backendtypes.js | 8 ++++---- server/api/clients.js | 18 ++++++++++++++++++ server/api/events.js | 21 +++++++++++++++++++++ server/api/ipranges.js | 18 ++++++++++++++++++ server/api/ipxeconfigs.js | 18 ++++++++++++++++++ server/api/ipxeentries.js | 18 ++++++++++++++++++ server/api/permissions.js | 14 ++++++++++++++ server/api/registration.js | 18 ++++++++++++++++++ server/api/roles.js | 18 ++++++++++++++++++ server/api/systemlog.js | 14 ++++++++++++++ server/api/users.js | 4 ++-- server/api/wakerequests.js | 14 ++++++++++++++ 13 files changed, 177 insertions(+), 7 deletions(-) (limited to 'server/api') diff --git a/server/api/backends.js b/server/api/backends.js index 872e0f6..63b4cb9 100644 --- a/server/api/backends.js +++ b/server/api/backends.js @@ -22,7 +22,6 @@ noAuthRouter.getAsync('/:id/test', async (req, res) => { // Permission check middleware router.all(['', '/:id', '/:id/:function'], async (req, res, next) => { - console.log(req.params) switch (req.method) { case 'GET': switch (req.params.function) { diff --git a/server/api/backendtypes.js b/server/api/backendtypes.js index ef371d8..90815b0 100644 --- a/server/api/backendtypes.js +++ b/server/api/backendtypes.js @@ -2,14 +2,14 @@ const path = require('path') const ExternalBackends = require(path.join(__appdir, 'lib', 'external-backends')) var express = require('express') -var router = express.Router() +var noAuthRouter = express.Router() // GET requests. /* * @return: Returns a list of all available backend types. */ -router.get('/', (req, res) => { +noAuthRouter.get('/', (req, res) => { const backends = new ExternalBackends() var files = backends.getBackends() @@ -25,7 +25,7 @@ router.get('/', (req, res) => { * * @return: Returns the credentials structure and fields of a backend type. */ -router.get('/:type', (req, res) => { +noAuthRouter.get('/:type', (req, res) => { const backendType = req.params.type const b = new ExternalBackends() const instance = b.getInstance(backendType) @@ -35,4 +35,4 @@ router.get('/:type', (req, res) => { res.status(200).send(instance.getCredentials()) }) -module.exports.router = router +module.exports.noAuthRouter = noAuthRouter diff --git a/server/api/clients.js b/server/api/clients.js index 4222f49..1a5c274 100644 --- a/server/api/clients.js +++ b/server/api/clients.js @@ -10,6 +10,24 @@ const HttpResponse = require(path.join(__appdir, 'lib', 'httpresponse')) const log = require(path.join(__appdir, 'lib', 'log')) const groupHelper = require(path.join(__appdir, 'lib', 'grouphelper')) +// Permission check middleware +router.all(['', '/:id'], async (req, res, next) => { + switch (req.method) { + case 'GET': + if (!await req.user.hasPermission('clients.view')) return res.status(403).send({ error: 'Missing permission', permission: 'clients.view' }) + break + + case 'POST': case 'DELETE': + if (!await req.user.hasPermission('clients.edit')) return res.status(403).send({ error: 'Missing permission', permission: 'clients.edit' }) + break + + default: + return res.status(400).send() + } + + next() +}) + // ############################################################################ // ########################### GET requests ################################# diff --git a/server/api/events.js b/server/api/events.js index 7e330e5..310a64a 100644 --- a/server/api/events.js +++ b/server/api/events.js @@ -11,6 +11,27 @@ socket.connect('ipc:///tmp/bas_zeromq_events') const log = require(path.join(__appdir, 'lib', 'log')) const HttpResponse = require(path.join(__appdir, 'lib', 'httpresponse')) +// Permission check middleware +router.all(['', '/:x'], async (req, res, next) => { + switch (req.method) { + case 'GET': + if (!await req.user.hasPermission('events.view')) return res.status(403).send({ error: 'Missing permission', permission: 'events.view' }) + break + + case 'POST': + // TODO: REMOVE blacklist free pass IF PM uses own blacklist function --> HELPER LIB?! + if (req.params.x === 'blacklist') break + + if (!await req.user.hasPermission('events.edit')) return res.status(403).send({ error: 'Missing permission', permission: 'events.edit' }) + break + + default: + return res.status(400).send() + } + + next() +}) + // ############################################################################ // ########################### GET requests ################################# diff --git a/server/api/ipranges.js b/server/api/ipranges.js index 7750658..23fa76a 100644 --- a/server/api/ipranges.js +++ b/server/api/ipranges.js @@ -8,6 +8,24 @@ const HttpResponse = require(path.join(__appdir, 'lib', 'httpresponse')) const iphelper = require(path.join(__appdir, 'lib', 'iphelper')) const log = require(path.join(__appdir, 'lib', 'log')) +// Permission check middleware +router.all(['', '/:x'], async (req, res, next) => { + switch (req.method) { + case 'GET': + if (!await req.user.hasPermission('ipranges.view')) return res.status(403).send({ error: 'Missing permission', permission: 'ipranges.view' }) + break + + case 'POST': case 'DELETE': + if (!await req.user.hasPermission('ipranges.edit')) return res.status(403).send({ error: 'Missing permission', permission: 'ipranges.edit' }) + break + + default: + return res.status(400).send() + } + + next() +}) + // ############################################################################ // ########################### GET requests ################################# diff --git a/server/api/ipxeconfigs.js b/server/api/ipxeconfigs.js index 3c6f6eb..6845952 100644 --- a/server/api/ipxeconfigs.js +++ b/server/api/ipxeconfigs.js @@ -8,6 +8,24 @@ var router = decorateApp(express.Router()) const HttpResponse = require(path.join(__appdir, 'lib', 'httpresponse')) const log = require(path.join(__appdir, 'lib', 'log')) +// Permission check middleware +router.all(['', '/:x'], async (req, res, next) => { + switch (req.method) { + case 'GET': + if (!await req.user.hasPermission('ipxeconfigs.view')) return res.status(403).send({ error: 'Missing permission', permission: 'ipxeconfigs.view' }) + break + + case 'POST': case 'PUT': case 'DELETE': + if (!await req.user.hasPermission('ipxeconfigs.edit')) return res.status(403).send({ error: 'Missing permission', permission: 'ipxeconfigs.edit' }) + break + + default: + return res.status(400).send() + } + + next() +}) + // ############################################################################ // ########################### GET requests ################################# diff --git a/server/api/ipxeentries.js b/server/api/ipxeentries.js index 1003754..53b3731 100644 --- a/server/api/ipxeentries.js +++ b/server/api/ipxeentries.js @@ -6,6 +6,24 @@ const { decorateApp } = require('@awaitjs/express') var router = decorateApp(express.Router()) const HttpResponse = require(path.join(__appdir, 'lib', 'httpresponse')) +// Permission check middleware +router.all(['', '/:x'], async (req, res, next) => { + switch (req.method) { + case 'GET': + if (!await req.user.hasPermission('ipxeentries.view')) return res.status(403).send({ error: 'Missing permission', permission: 'ipxeentries.view' }) + break + + case 'POST': case 'DELETE': + if (!await req.user.hasPermission('ipxeentries.edit')) return res.status(403).send({ error: 'Missing permission', permission: 'ipxeentries.edit' }) + break + + default: + return res.status(400).send() + } + + next() +}) + // ############################################################################ // ########################### GET requests ################################# diff --git a/server/api/permissions.js b/server/api/permissions.js index 45f656a..ca943a2 100644 --- a/server/api/permissions.js +++ b/server/api/permissions.js @@ -5,6 +5,20 @@ var express = require('express') const { decorateApp } = require('@awaitjs/express') var router = decorateApp(express.Router()) +// Permission check middleware +router.all(['', '/:x'], async (req, res, next) => { + switch (req.method) { + case 'GET': + if (!await req.user.hasPermission('permissions.view')) return res.status(403).send({ error: 'Missing permission', permission: 'permissions.view' }) + break + + default: + return res.status(400).send() + } + + next() +}) + /* * @return: Returns if current user has given permission. */ diff --git a/server/api/registration.js b/server/api/registration.js index 86bf185..fd10fba 100644 --- a/server/api/registration.js +++ b/server/api/registration.js @@ -13,6 +13,24 @@ const url = config.https.host // + ':' + config.https.port const log = require(path.join(__appdir, 'lib', 'log')) const HttpResponse = require(path.join(__appdir, 'lib', 'httpresponse')) +// Permission check middleware +router.all(['', '/hooks', '/:y', '/hooks/:x'], async (req, res, next) => { + switch (req.method) { + case 'GET': + if (!await req.user.hasPermission('registration.view')) return res.status(403).send({ error: 'Missing permission', permission: 'registration.view' }) + break + + case 'POST': case 'DELETE': + if (!await req.user.hasPermission('registration.edit')) return res.status(403).send({ error: 'Missing permission', permission: 'registration.edit' }) + break + + default: + return res.status(400).send() + } + + next() +}) + // GET requests. /* diff --git a/server/api/roles.js b/server/api/roles.js index c7726b8..ba1c2a2 100644 --- a/server/api/roles.js +++ b/server/api/roles.js @@ -7,6 +7,24 @@ var router = decorateApp(express.Router()) const HttpResponse = require(path.join(__appdir, 'lib', 'httpresponse')) const log = require(path.join(__appdir, 'lib', 'log')) +// Permission check middleware +router.all(['', '/:x'], async (req, res, next) => { + switch (req.method) { + case 'GET': + if (!await req.user.hasPermission('roles.view')) return res.status(403).send({ error: 'Missing permission', permission: 'roles.view' }) + break + + case 'POST': + if (!await req.user.hasPermission('roles.edit')) return res.status(403).send({ error: 'Missing permission', permission: 'roles.edit' }) + break + + default: + return res.status(400).send() + } + + next() +}) + /* * / * diff --git a/server/api/systemlog.js b/server/api/systemlog.js index 4d7a69a..6d69f71 100644 --- a/server/api/systemlog.js +++ b/server/api/systemlog.js @@ -5,6 +5,20 @@ var express = require('express') const { decorateApp } = require('@awaitjs/express') var router = decorateApp(express.Router()) +// Permission check middleware +router.all(['', '/:x'], async (req, res, next) => { + switch (req.method) { + case 'GET': + if (!await req.user.hasPermission('systemlog.view')) return res.status(403).send({ error: 'Missing permission', permission: 'systemlog.view' }) + break + + default: + return res.status(400).send() + } + + next() +}) + // ############################################################################ // ########################### GET requests ################################# diff --git a/server/api/users.js b/server/api/users.js index a4940e0..2edac8d 100644 --- a/server/api/users.js +++ b/server/api/users.js @@ -8,10 +8,10 @@ var authentication = require(path.join(__appdir, 'lib', 'authentication')) const log = require(path.join(__appdir, 'lib', 'log')) // Permission check middleware -router.all(['', '/:id'], async (req, res, next) => { +router.all(['', '/:x'], async (req, res, next) => { // User is allowed to edit his own information even without any permissions. let currentInfo = false - if (req.params.id && req.params.id === 'current') currentInfo = true + if (req.params.x && req.params.x === 'current') currentInfo = true switch (req.method) { case 'GET': diff --git a/server/api/wakerequests.js b/server/api/wakerequests.js index 811fea9..6f6faf3 100644 --- a/server/api/wakerequests.js +++ b/server/api/wakerequests.js @@ -7,6 +7,20 @@ const { decorateApp } = require('@awaitjs/express') var router = decorateApp(express.Router()) const log = require(path.join(__appdir, 'lib', 'log')) +// Permission check middleware +router.all(['', '/:x'], async (req, res, next) => { + switch (req.method) { + case 'POST': + if (!await req.user.hasPermission('wakerequests.send')) return res.status(403).send({ error: 'Missing permission', permission: 'wakerequests.send' }) + break + + default: + return res.status(400).send() + } + + next() +}) + router.postAsync('', async (req, res) => { const clients = await db.client.findAll({ where: { id: req.body.clients } }) await log({ -- cgit v1.2.3-55-g7522