adding admin env check

cassproject · Apr 30, 2024 · 57521f7 · 57521f7
1 parent ad2632b
commit 57521f7
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/src/main/server/shims/auth.js b/src/main/server/shims/auth.js
@@ -8,6 +8,24 @@ var skyrepoAdminPpk = function() {
         fileSave(EcPpk.fromPem(rsaGenerate()).toPem(), "etc/skyAdmin2.pem");
     return EcPpk.fromPem(fileToString(fileLoad("etc/skyAdmin2.pem"))).toPem();
 };
+const skyrepoAdminPk = function () {
+    if (!fs.existsSync('etc/skyAdmin2.pem')) {
+        fileSave(EcPpk.fromPem(rsaGenerate()).toPem(), 'etc/skyAdmin2.pem');
+    }
+    return EcPpk.fromPem(fileToString(fileLoad('etc/skyAdmin2.pem'))).toPk().toPem();
+};
+
+function interpretAdminCSV(envCSV) {
+    if (envCSV == undefined || typeof envCSV !== "string" || envCSV === "")
+        return [];
+
+    return envCSV.split(",");
+}
+
+// Optional Admin Config
+const AUTH_ALLOW_ENV_ADMINS = process.env.AUTH_ALLOW_ENV_ADMINS == "true";
+const AUTH_ENV_ADMIN_EMAILS = interpretAdminCSV(process.env.AUTH_ENV_ADMIN_EMAILS);
+
 let getPk = async(identifier) => {
     if (getPkCache[identifier] != null)
     {
@@ -388,12 +406,20 @@ app.use(async function (req, res, next) {
         if (signatureSheet == null)
         {
             signatureSheet = await eim.signatureSheet(60000,repo.selectedServerProxy == null ? repo.selectedServer : repo.selectedServerProxy,null,null,"SHA-256");
+
+            let considerUserAnAdmin = AUTH_ALLOW_ENV_ADMINS && AUTH_ENV_ADMIN_EMAILS.includes(email);
+            if (considerUserAnAdmin && signatureSheet != null) {
+                let adminKey = skyrepoAdminPk();
+                signatureSheet.push(adminKey);
+            }
+
             //THIS IS NOT OK, THE KEY INTO THE CACHE SHOULD NOT BE THE SERVER NAME!!!!!!!!!!
             signatureSheetCache[p.shortId()] = signatureSheet;
             global.auditLogger.report(global.auditLogger.LogCategory.AUTH, global.auditLogger.Severity.INFO, "CassSigSheetCreated", `Securing Proxy: Created signature sheet for request from ${email}.`, signatureSheet);
         }
         else
             global.auditLogger.report(global.auditLogger.LogCategory.AUTH, global.auditLogger.Severity.INFO, "CassSigSheetCreated", `Securing Proxy: Reused signature sheet for request from ${email}.`, signatureSheet);
+
         req.headers.signatureSheet = signatureSheet;
         req.eim = eim;
     }