Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: feat: add permission check #395

Open
wants to merge 7 commits into
base: develop
Choose a base branch
from
Open

WIP: feat: add permission check #395

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
41f09ef
Added permission check for downloading of files
bolmsten Nov 29, 2024
7f50dbc
Add env file
bolmsten Nov 29, 2024
7ef49f6
Add scicatAPI singleton
bolmsten Nov 29, 2024
599733a
remove log
bolmsten Nov 29, 2024
c83c931
Update .env
bolmsten Nov 29, 2024
ae4c4d6
Clean up code, remove dotenv and refactor
bolmsten Dec 3, 2024
6066ca5
Update src/auth.ts
bolmsten Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .env
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
SCICAT_API_BASE_PATH=
SCICAT_API_ACCESS_TOKEN=
bolmsten marked this conversation as resolved.
Show resolved Hide resolved
4 changes: 3 additions & 1 deletion config/config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,7 @@
"graylogEnabled": false,
"graylogServer": "it-graylog.esss.lu.se",
"graylogPort": 12201,
"environment": "development"
"environment": "development",
"basePath": "",
"accessToken": ""
}
164 changes: 164 additions & 0 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
"lint": "eslint --fix ."
},
"dependencies": {
"@scicatproject/scicat-ts-fetch-test": "^2.0.0",
"@types/archiver": "^5.3.1",
"@types/cookie-parser": "^1.4.3",
"@types/cors": "^2.8.12",
Expand Down
73 changes: 41 additions & 32 deletions src/auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,21 @@
import express from "express";
import { config } from "./common/config";
import jwtLib from "jsonwebtoken";
import * as fs from "fs";
import jwtLib from "jsonwebtoken";

import { logger } from "@user-office-software/duo-logger";
import { scicatDataSetAPI } from "./common/scicatAPI"

export const hasFileAccess = (
export const hasFileAccess = async (
req: express.Request,
directory: string,
fileNames: string[]
): Global.AuthResponse => {
const { jwtSecret, facility } = config;
fileNames: string[],
dataset: string
): Promise<Global.AuthResponse> => {

const { jwtSecret } = config;
const dataSetAPI = scicatDataSetAPI();

if (!jwtSecret) {
return {
hasAccess: false,
Expand Down Expand Up @@ -41,7 +47,10 @@ export const hasFileAccess = (
httpMethod: req.method,
directory,
fileNames,
dataset
};


if (!authRequest.directory) {
return {
hasAccess: false,
Expand Down Expand Up @@ -79,32 +88,32 @@ export const hasFileAccess = (
fileNames: [],
};
}
// Evaluate access rights based on institution specific logic
switch (facility) {
case "maxiv": {
return authMAXIV(authRequest);
}
default:
return {
hasAccess: true,
statusCode: 200,
directory: authRequest.directory,
fileNames: authRequest.fileNames,
};
}
};

const authMAXIV = (authRequest: Global.AuthRequest): Global.AuthResponse => {
const valid =
authRequest.jwt.groups.filter(
(group) => group.trim() && authRequest.directory.indexOf(group) > -1
).length > 0;

return {
hasAccess: valid,
statusCode: valid ? 200 : 403,
error: valid ? "" : "You do not have access to this resource",
directory: valid ? authRequest.directory : undefined,
fileNames: valid ? authRequest.fileNames : [],
};
};

const valid = await dataSetAPI.datasetsControllerFindById({pid: authRequest.dataset}).then(
(value) =>
{
if(value.isPublished || // Check if proposal is public
value.accessGroups.some(item => new Set(authRequest.jwt.groups).has(item)) || // Check if user has one or more of the access groups of dataset
authRequest.jwt.groups.indexOf(value.ownerGroup) > -1) //Check if user has the owner group
{
return true;
}
Copy link

@Junjiequan Junjiequan Dec 10, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const valid = await dataSetAPI.datasetsControllerFindById({pid: authRequest.dataset}).then(
(value) =>
{
if(value.isPublished || // Check if proposal is public
value.accessGroups.some(item => new Set(authRequest.jwt.groups).has(item)) || // Check if user has one or more of the access groups of dataset
authRequest.jwt.groups.indexOf(value.ownerGroup) > -1) //Check if user has the owner group
{
return true;
}
const isPublic = value.isPublished;
const hasAccessGroup = value.accessGroups.some(item => new Set(authRequest.jwt.groups).has(item));
const hasOwnerGroup = authRequest.jwt.groups.includes(value.ownerGroup);
if (isPublic || hasAccessGroup || hasOwnerGroup) {
return true;
}

It'd be easier to read this way, what do you think?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The suggested codes should be inside the curly bracket.


return false;

}
).catch((e) => {

return false;
});

return {
hasAccess: valid,
statusCode: valid ? 200 : 403,
error: valid ? "" : "You do not have access to this resource",
directory: valid ? authRequest.directory : undefined,
fileNames: valid ? authRequest.fileNames : [],
};
}
24 changes: 24 additions & 0 deletions src/common/scicatAPI.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
import { Configuration, DatasetsApi } from "@scicatproject/scicat-ts-fetch-test";
import { config } from "./config";

let datasetsApiInstance: DatasetsApi | null = null;

export function scicatDataSetAPI(): DatasetsApi {
const { basePath, accessToken } = config;

if (!datasetsApiInstance) {

if (!basePath || !accessToken) {
throw new Error("SciCat API configuration is missing: Check SCICAT_API_BASE_PATH and SCICAT_API_ACCESS_TOKEN.");
}

const apiConfig = new Configuration({
basePath ,
accessToken,
});

datasetsApiInstance = new DatasetsApi(apiConfig);
}

return datasetsApiInstance;
}
1 change: 1 addition & 0 deletions src/routes/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ router.get("/", function (req, res) {
res.render("index", {
jwt: config.testData.jwt || "",
directory: config.testData.directory || "",
dataset: "",
file0: config.testData?.files[0] || "",
file1: config.testData?.files[1] || "",
file2: config.testData?.files[2] || "",
Comment on lines 8 to 12
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current configuration allows to download files only from a single dataset.
Should we consider to change the data structure here to allow multi dataset, multi files download?
Or should we keep it as it is in this PR and consider it for future a one?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where in SciCat can you download files from multiple datasets?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not at the moment, but it is coming

Expand Down
Loading
Loading