bump

skadefro · skadefro · commit 0d432ddd71fb · 2021-05-21T19:03:55.000+02:00
diff --git a/OpenFlow/src/Config.ts b/OpenFlow/src/Config.ts
@@ -30,6 +30,7 @@ export class Config {
         Config.openflow_amqp_expiration = parseInt(Config.getEnv("openflow_amqp_expiration", (60 * 1000 * 25).toString())); // 25 min
         Config.amqp_prefetch = parseInt(Config.getEnv("amqp_prefetch", "50"));
         Config.amqp_web_default_priority = parseInt(Config.getEnv("amqp_web_default_priority", "2"));
+        Config.trace_dashboardauth = Config.parseBoolean(Config.getEnv("trace_dashboardauth", "true"));
 
 
         Config.getting_started_url = Config.getEnv("getting_started_url", "");
@@ -159,6 +160,7 @@ export class Config {
     public static openflow_amqp_expiration: number = parseInt(Config.getEnv("openflow_amqp_expiration", (60 * 1000 * 25).toString())); // 25 min
     public static amqp_prefetch: number = parseInt(Config.getEnv("amqp_prefetch", "50"));
     public static amqp_web_default_priority: number = parseInt(Config.getEnv("amqp_web_default_priority", "2"));
+    public static trace_dashboardauth: boolean = Config.parseBoolean(Config.getEnv("trace_dashboardauth", "true"));
 
     public static getting_started_url: string = Config.getEnv("getting_started_url", "");
 
diff --git a/OpenFlow/src/DBHelper.ts b/OpenFlow/src/DBHelper.ts
@@ -74,48 +74,66 @@ export class DBHelper {
             Logger.otel.endSpan(span);
         }
     }
-    public static async GetRoles(_id: string, ident: number, parent: Span): Promise<Role[]> {
-        const span: Span = Logger.otel.startSubSpan("dbhelper.GetRoles", parent);
-        span.setAttribute("_id", _id);
-        span.setAttribute("ident", ident);
-        try {
-            if (ident > Config.max_recursive_group_depth) return [];
-            const result: Role[] = [];
-            const query: any = { "members": { "$elemMatch": { _id: _id } } };
-            const ids: string[] = [];
-            const _roles: Role[] = await Config.db.query<Role>(query, null, Config.expected_max_roles, 0, null, "users", Crypt.rootToken(), undefined, undefined, span);
-            for (let role of _roles) {
-                if (ids.indexOf(role._id) == -1) {
-                    ids.push(role._id);
-                    result.push(role);
-                    const _subroles: Role[] = await this.GetRoles(role._id, ident + 1, span);
-                    for (let subrole of _subroles) {
-                        if (ids.indexOf(subrole._id) == -1) {
-                            ids.push(subrole._id);
-                            result.push(subrole);
-                        }
-                    }
-                }
-            }
-            return result;
-        } catch (error) {
-            span.recordException(error);
-            throw error;
-        } finally {
-            Logger.otel.endSpan(span);
-        }
-    }
+    // public static async GetRoles(_id: string, ident: number, parent: Span): Promise<Role[]> {
+    //     const span: Span = Logger.otel.startSubSpan("dbhelper.GetRoles", parent);
+    //     span.setAttribute("_id", _id);
+    //     span.setAttribute("ident", ident);
+    //     try {
+    //         if (ident > Config.max_recursive_group_depth) return [];
+    //         const result: Role[] = [];
+    //         const query: any = { "members": { "$elemMatch": { _id: _id } } };
+    //         const ids: string[] = [];
+    //         const _roles: Role[] = await Config.db.query<Role>(query, null, Config.expected_max_roles, 0, null, "users", Crypt.rootToken(), undefined, undefined, span);
+    //         for (let role of _roles) {
+    //             if (ids.indexOf(role._id) == -1) {
+    //                 ids.push(role._id);
+    //                 result.push(role);
+    //                 const _subroles: Role[] = await this.GetRoles(role._id, ident + 1, span);
+    //                 for (let subrole of _subroles) {
+    //                     if (ids.indexOf(subrole._id) == -1) {
+    //                         ids.push(subrole._id);
+    //                         result.push(subrole);
+    //                     }
+    //                 }
+    //             }
+    //         }
+    //         return result;
+    //     } catch (error) {
+    //         span.recordException(error);
+    //         throw error;
+    //     } finally {
+    //         Logger.otel.endSpan(span);
+    //     }
+    // }
     public static cached_roles: Role[] = [];
     public static cached_at: Date = new Date();
     public static async DecorateWithRoles(user: User, parent: Span): Promise<void> {
         const span: Span = Logger.otel.startSubSpan("dbhelper.DecorateWithRoles", parent);
         try {
             if (!Config.decorate_roles_fetching_all_roles) {
-                const roles: Role[] = await this.GetRoles(user._id, 0, span);
-                user.roles = [];
-                roles.forEach(role => {
-                    user.roles.push(new Rolemember(role.name, role._id));
-                });
+                // const roles: Role[] = await this.GetRoles(user._id, 0, span);
+                // user.roles = [];
+                // roles.forEach(role => {
+                //     user.roles.push(new Rolemember(role.name, role._id));
+                // });
+                const pipe: any = [{ "$match": { "_id": user._id } },
+                {
+                    "$graphLookup": {
+                        from: "users",
+                        startWith: "$_id",
+                        connectFromField: "_id",
+                        connectToField: "members._id",
+                        as: "roles",
+                        maxDepth: Config.max_recursive_group_depth,
+                        restrictSearchWithMatch: { "_type": "role" }
+                    }
+                }]
+                const results = await Config.db.aggregate<User>(pipe, "users", Crypt.rootToken(), null, span);
+                if (results.length > 0) {
+                    user = results[0];
+                    user.roles = user.roles.map(x => ({ "_id": x._id, "name": x.name })) as any;
+                    user.roles = user.roles;
+                }
             } else {
                 var end: number = new Date().getTime();
                 var seconds = Math.round((end - this.cached_at.getTime()) / 1000);
diff --git a/OpenFlow/src/DatabaseConnection.ts b/OpenFlow/src/DatabaseConnection.ts
@@ -182,6 +182,37 @@ export class DatabaseConnection {
         WellknownIds.personal_nodered_users,
         WellknownIds.robot_agent_users
     ]
+    WellknownNamesArray: string[] = [
+        "root",
+        "admins",
+        "users",
+        "user",
+        "admin",
+        "nodered",
+        "administrator",
+        "robots",
+        "robot",
+        "nodered_users",
+        "nodered_admins",
+        "nodered_api_users",
+        "filestore_users",
+        "filestore_admins",
+        "robot_users",
+        "robot_admins",
+        "personal_nodered_users",
+        "robot_agent_users",
+
+        "nodered users",
+        "nodered admins",
+        "nodered api_users",
+        "filestore users",
+        "filestore admins",
+        "robot users",
+        "robot admins",
+        "personal nodered users",
+        "robot agent users"
+
+    ]
 
     async CleanACL<T extends Base>(item: T, user: TokenUser, parent: Span): Promise<T> {
         const span: Span = Logger.otel.startSubSpan("db.CleanACL", parent);
@@ -817,6 +848,12 @@ export class DatabaseConnection {
                 (item as any).passwordhash = await Crypt.hash((item as any).newpassword);
                 delete (item as any).newpassword;
             }
+            if (collectionname === "users" && !NoderedUtil.IsNullEmpty(item._type) && !NoderedUtil.IsNullEmpty(item.name)) {
+                if ((item._type === "user" || item._type === "role") &&
+                    (this.WellknownNamesArray.indexOf(item.name) > -1 || this.WellknownNamesArray.indexOf((item as any).username) > -1)) {
+                    throw new Error("Access denied");
+                }
+            }
             j = ((j as any) === 'true' || j === true);
             w = parseInt((w as any));
             item._version = 0;
@@ -1009,6 +1046,15 @@ export class DatabaseConnection {
                     const again = this.hasAuthorization(user, original, Rights.update);
                     throw new Error("Access denied, no authorization to UpdateOne " + q.item._type + " " + name + " to database");
                 }
+                if (q.collectionname === "users" && !NoderedUtil.IsNullEmpty(q.item._type) && !NoderedUtil.IsNullEmpty(q.item.name)) {
+                    if ((q.item._type === "user" || q.item._type === "role") &&
+                        (this.WellknownNamesArray.indexOf(q.item.name) > -1 || this.WellknownNamesArray.indexOf((q.item as any).username) > -1)) {
+                        if (this.WellknownIdsArray.indexOf(q.item._id) == -1) {
+                            throw new Error("Access denied");
+                        }
+                    }
+                }
+
                 if (q.collectionname != "fs.files") {
                     q.item._modifiedby = user.name;
                     q.item._modifiedbyid = user._id;
diff --git a/OpenFlow/src/LoginProvider.ts b/OpenFlow/src/LoginProvider.ts
@@ -177,12 +177,12 @@ export class LoginProvider {
             }
         });
         app.get("/dashboardauth", async (req: any, res: any, next: any) => {
-            const span: Span = Logger.otel.startSpan("LoginProvider.dashboardauth");
+            const span: Span = (Config.trace_dashboardauth ? Logger.otel.startSpan("LoginProvider.dashboardauth") : null);
             try {
-                span.setAttribute("remoteip", WebServer.remoteip(req));
+                span?.setAttribute("remoteip", WebServer.remoteip(req));
                 if (req.user) {
                     const user: TokenUser = TokenUser.From(req.user);
-                    span.setAttribute("username", user.username);
+                    span?.setAttribute("username", user.username);
                     if (user != null) {
                         const allowed = user.roles.filter(x => x.name == "dashboardusers" || x.name == "admins");
                         if (allowed.length > 0) {
@@ -241,7 +241,7 @@ export class LoginProvider {
                 // const [login, password] = new Buffer(b64auth, 'base64').toString().split(':')
                 const [login, password] = Buffer.from(b64auth, "base64").toString().split(':')
                 if (login && password) {
-                    span.setAttribute("username", login);
+                    span?.setAttribute("username", login);
                     let user: User = Auth.getUser(b64auth, "dashboard");
                     if (user == null) user = await Auth.ValidateByPassword(login, password, span);
                     if (user != null) {
@@ -265,7 +265,7 @@ export class LoginProvider {
                 res.setHeader('WWW-Authenticate', 'Basic realm="OpenFlow"');
                 res.end('Unauthorized');
             } catch (error) {
-                span.recordException(error);
+                span?.recordException(error);
                 throw error;
             } finally {
                 Logger.otel.endSpan(span);
@@ -467,12 +467,12 @@ export class LoginProvider {
                 console.error(error.message ? error.message : error);
                 return res.status(500).send({ message: error.message ? error.message : error });
             }
-            try {
-                span.addEvent("RegisterProviders");
-                LoginProvider.RegisterProviders(app, baseurl);
-            } catch (error) {
-                span.recordException(error);
-            }
+            // try {
+            //     span.addEvent("RegisterProviders");
+            //     LoginProvider.RegisterProviders(app, baseurl);
+            // } catch (error) {
+            //     span.recordException(error);
+            // }
             Logger.otel.endSpan(span);
         });
         app.get("/validateuserform", async (req: any, res: any, next: any): Promise<void> => {
@@ -571,15 +571,17 @@ export class LoginProvider {
                 console.error(error.message ? error.message : error);
                 Logger.otel.endSpan(span);
                 return res.status(500).send({ message: error.message ? error.message : error });
-            }
-            try {
-                LoginProvider.RegisterProviders(app, baseurl);
-            } catch (error) {
-                span.recordException(error);
-                return res.status(500).send({ message: error.message ? error.message : error });
             } finally {
                 Logger.otel.endSpan(span);
             }
+            // try {
+            //     LoginProvider.RegisterProviders(app, baseurl);
+            // } catch (error) {
+            //     span.recordException(error);
+            //     return res.status(500).send({ message: error.message ? error.message : error });
+            // } finally {
+            //     Logger.otel.endSpan(span);
+            // }
 
         });
         app.get("/download/:id", async (req, res) => {
diff --git a/OpenFlow/src/Messages/Message.ts b/OpenFlow/src/Messages/Message.ts
@@ -308,7 +308,7 @@ export class Message {
                 case "insertone":
                     this.EnsureJWT(cli);
                     if (Config.enable_openflow_amqp) {
-                        cli.Send(await QueueClient.SendForProcessing(this, (cli.clientagent == "webapp" ? Config.amqp_web_default_priority : 1)));
+                        cli.Send(await QueueClient.SendForProcessing(this, this.priority));
                     } else {
                         await this.InsertOne(span);
                         cli.Send(this);
@@ -503,10 +503,10 @@ export class Message {
         this.Reply();
         let msg: RegisterQueueMessage;
         try {
+            msg = RegisterQueueMessage.assign(this.data);
             if (!NoderedUtil.IsNullEmpty(msg.queuename) && msg.queuename.toLowerCase() == "openflow") {
                 throw new Error("Access denied");
             }
-            msg = RegisterQueueMessage.assign(this.data);
             msg.queuename = await cli.CreateConsumer(msg.queuename, parent);
         } catch (error) {
             await handleError(cli, error);
@@ -921,7 +921,7 @@ export class Message {
                 insert.collectionname = msg.collectionname; insert.item = msg.items[i];
                 insert.w = msg.w; insert.j = msg.j; insert.jwt = msg.jwt;
                 tmpmsg.command = "insertone"; tmpmsg.data = JSON.stringify(insert);
-                Promises.push(QueueClient.SendForProcessing(tmpmsg, 1));
+                Promises.push(QueueClient.SendForProcessing(tmpmsg, this.priority));
             }
             var results = await Promise.all(Promises.map(p => p.catch(e => e)));
             if (msg.skipresults) {
diff --git a/OpenFlow/src/SocketMessage.ts b/OpenFlow/src/SocketMessage.ts
@@ -12,6 +12,7 @@ export class SocketMessage {
     public data: string;
     public count: number;
     public index: number;
+    public priority: number = 1;
     public static fromjson(json: string): SocketMessage {
         let result: SocketMessage = new SocketMessage();
         let obj: any = JSON.parse(json);
@@ -20,6 +21,7 @@ export class SocketMessage {
         result.replyto = obj.replyto;
         result.count = 1;
         result.index = 0;
+        if (!NoderedUtil.IsNullEmpty(obj.priority)) result.priority = obj.priority;
         result.data = obj.data;
         if (isNumber(obj.count)) { result.count = obj.count; }
         if (isNumber(obj.index)) { result.index = obj.index; }
diff --git a/OpenFlow/src/WebSocketServerClient.ts b/OpenFlow/src/WebSocketServerClient.ts
@@ -407,6 +407,7 @@ export class WebSocketServerClient {
                 if (msgs.length === 1) {
                     this._receiveQueue = this._receiveQueue.filter(function (msg: SocketMessage): boolean { return msg.id !== id; });
                     const singleresult: Message = Message.frommessage(first, first.data);
+                    singleresult.priority = first.priority;
                     singleresult.Process(this);
                 } else {
                     let buffer: string = "";
@@ -415,6 +416,7 @@ export class WebSocketServerClient {
                     });
                     this._receiveQueue = this._receiveQueue.filter(function (msg: SocketMessage): boolean { return msg.id !== id; });
                     const result: Message = Message.frommessage(first, buffer);
+                    result.priority = first.priority;
                     result.Process(this);
                 }
             } else {
diff --git a/OpenFlow/src/public/CommonControllers.ts b/OpenFlow/src/public/CommonControllers.ts
@@ -434,7 +434,7 @@ export class entitiesCtrl<T> {
             await NoderedUtil.DeleteOne(this.collection, model._id, null, 2);
             this.models = this.models.filter(function (m: any): boolean { return m._id !== model._id; });
         } catch (error) {
-            this.errormessage = error;
+            this.errormessage = error.message ? error.message : error;
         }
         this.loading = false;
         if (!this.$scope.$$phase) { this.$scope.$apply(); }
diff --git a/OpenFlow/src/public/Controllers.ts b/OpenFlow/src/public/Controllers.ts
diff --git a/OpenFlowNodeRED/package.json b/OpenFlowNodeRED/package.json
diff --git a/VERSION b/VERSION
diff --git a/package.json b/package.json

Original file line number	Diff line number	Diff line change
`@@ -434,7 +434,7 @@ export class entitiesCtrl<T> {`
`434`	`434`	`await NoderedUtil.DeleteOne(this.collection, model._id, null, 2);`
`435`	`435`	`this.models = this.models.filter(function (m: any): boolean { return m._id !== model._id; });`
`436`	`436`	`} catch (error) {`
`437`		`- this.errormessage = error;`
	`437`	`+ this.errormessage = error.message ? error.message : error;`
`438`	`438`	`}`
`439`	`439`	`this.loading = false;`
`440`	`440`	`if (!this.$scope.$$phase) { this.$scope.$apply(); }`