/* * Copyright 2013 Jive Software * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /** * @module security */ ///////////////////////////////////////////////////////////////////////////////////////////////////////////////// // Private var express = require('express'), service = require('./service'), jive = require('../api'), q = require('q'); var findCredentials = function(req) { var deferred = q.defer(); var conf = jive.service.options; // try to get it from body var jiveUrl = req.body['jiveUrl']; // default to system credentials var credentials = { 'clientId': conf.clientId, 'clientSecret': conf.clientSecret }; var authorization = req.headers['authorization']; var tenantID; if ( !jiveUrl && authorization ) { jive.logger.debug("Trying to parse jiveURL/tenantID from JiveEXTN authorization header..."); // check authorization header var authVars = authorization.split(' '); req['jive'] = {}; if ( authVars[0] == 'JiveEXTN') { // try to parse out jiveURL var authParams = authVars[1].split('&'); authParams.forEach( function(p) { if (p.indexOf('jive_url') == 0 ) { jiveUrl = decodeURIComponent( p.split("=")[1] ); req['jive']['jiveURL'] = jiveUrl; } if (p.indexOf('tenant_id') == 0 ) { tenantID = decodeURIComponent( p.split("=")[1] ); req['jive']['tenantID'] = tenantID; } }); } else { jive.logger.debug("JiveEXTN authorization header not present, could not find jiveURL that way."); } } if ( !jiveUrl ) { // default to service credentials -- cannot look it up by community deferred.resolve( credentials ); } else { // try to resolve trust by jiveUrl jive.community.findByJiveURL(jiveUrl).then(function (community) { if (community) { credentials['clientId'] = community['clientId']; credentials['clientSecret'] = community['clientSecret']; } else { jive.logger.debug("Could not look up security credentials by community jiveURL " + jiveUrl + " -- using service credentials " + "from service configuration file (usually jiveclientconfiguration.json)."); } deferred.resolve(credentials); }); } return deferred.promise; }; var lockedRoutes = {}; /** * Any routes passed into this method will become locked: e.g the service will validate security headers. * @param routePath */ exports.lockRoute = function( routePath ) { // pre if ( !routePath) { return; } if ( !routePath['verb'] ) { throw new Error('Invalid route, cannot lock: missing verb'); } if ( !routePath['path'] ) { throw new Error('Invalid route, cannot lock: missing path'); } var key = routePath['verb'] + '.' + routePath['path']; lockedRoutes[key] = routePath; }; exports.getLockedRoutes = function() { // return immutable copy return JSON.parse( JSON.stringify( lockedRoutes ) ); }; exports.isLocked = function( req ) { // in development, we're not locked down if ( jive.service.isDevelopment() ) { return false; } var key = req.method.toLowerCase() + '.' + req.path; return lockedRoutes[key]; }; function invalidAuthResponse(res) { if ( !res ) { return; } // bad res.writeHead(403, { 'Content-Type': 'application/json' }); res.end(JSON.stringify({ 'status': 403, 'error': 'Invalid or missing authorization headers.' })); } /** * General purpose utility that checks the request for security headers and validates them. * If error, a 403 response will be added to the passed in res object (if available) * @param req * @param res optional */ exports.checkAuthHeaders = function(req, res) { var deferred = q.defer(); if ( !exports.isLocked(req) ) { // we're ok deferred.resolve(true); } else { findCredentials(req).then( function(credentials) { if ( credentials ) { var clientId = credentials['clientId']; var secret = credentials['clientSecret']; var auth = req.headers['authorization']; if ( !auth ) { jive.logger.debug("No security headers found, even though security credentials were required."); invalidAuthResponse(res); deferred.reject(false); return; } var passedBasic = jive.util.basicAuthorizationHeaderValid(auth, clientId, secret, true ); var passedJiveEXTN = jive.util.jiveAuthorizationHeaderValid(auth, clientId, secret, true ); if ( !passedBasic && !passedJiveEXTN ) { jive.logger.debug("Unauthorized access. Failed basic auth, and jiveEXTN header checks."); invalidAuthResponse(res); deferred.reject(false); return; } // we're ok deferred.resolve(true); } else { jive.logger.debug("No credentials were found to check against."); deferred.resolve(true); } }); } return deferred.promise; }; exports.checkAuthHeadersMiddleware = function (req, res, next ) { return exports.checkAuthHeaders( req, res ).finally( function() { if ( next ) { next(); } }); };