Improve disabled user token handling

skadefro · skadefro · commit 303dda878ebb · 2020-07-27T16:38:30.000+02:00
diff --git a/OpenFlow/src/Config.ts b/OpenFlow/src/Config.ts
@@ -83,6 +83,8 @@ export class Config {
     public static db: DatabaseConnection = null;
     public static version: string = Config.getversion();
     public static logpath: string = Config.getEnv("logpath", __dirname);
+    public static log_queries: boolean = Config.parseBoolean(Config.getEnv("log_queries", "false"));
+
 
     public static NODE_ENV: string = Config.getEnv("NODE_ENV", "development");
 
@@ -123,10 +125,6 @@ export class Config {
     public static amqp_requeue_time: number = parseInt(Config.getEnv("amqp_requeue_time", "1000")); // 1 seconds    
     public static amqp_dlx: string = Config.getEnv("amqp_dlx", "openflow-dlx");  // Dead letter exchange, used to pickup dead or timeout messages
 
-    // public static amqp_default_expiration: number = parseInt(Config.getEnv("amqp_default_expiration", (60 * 1000).toString())); // 1 min
-    // public static deadLetterExchange: string = Config.getEnv("deadletterexchange", "openflow-dlx");  // queue used to handle messages, that was not picked up.
-    // public static dlxmessagettl: number = parseInt(Config.getEnv("dlxmessagettl", "2000"));  // time to live for messages in miliseconds
-    // public static dlxmessageexpires: number = parseInt(Config.getEnv("dlxmessageexpires", "1500"));  // expire messages after this amount of miliseconds
     public static mongodb_url: string = Config.getEnv("mongodb_url", "mongodb://localhost:27017");
     public static mongodb_db: string = Config.getEnv("mongodb_db", "openflow");
 
@@ -142,23 +140,13 @@ export class Config {
     public static downloadtoken_expires_in: string = Config.getEnv("downloadtoken_expires_in", "15m");
     public static personalnoderedtoken_expires_in: string = Config.getEnv("personalnoderedtoken_expires_in", "365d");
 
-    // Used to configure personal nodered's
-    // public static force_queue_prefix: boolean = Config.parseBoolean(Config.getEnv("force_queue_prefix", "true"));
     public static nodered_image: string = Config.getEnv("nodered_image", "cloudhack/openflownodered:edge");
     public static saml_federation_metadata: string = Config.getEnv("saml_federation_metadata", "");
     public static api_ws_url: string = Config.getEnv("api_ws_url", "ws://localhost:3000");
     public static namespace: string = Config.getEnv("namespace", ""); // also sent to website 
     public static nodered_domain_schema: string = Config.getEnv("nodered_domain_schema", ""); // also sent to website
     public static nodered_initial_liveness_delay: number = parseInt(Config.getEnv("nodered_initial_liveness_delay", "60"));
 
-    // Environment variables to set a prefix for RabbitMQs Dead Letter Exchange, Dead Letter Routing Key,
-    // Dead Letter Queue, and Message Time to Live - to enable timeouts for RabbitMQ messages
-    // These values must be the same for OpenFlowNodeRED and OpenFlow, or will cause errors when asserting queues
-    // public static amqp_dlx_prefix: string = Config.getEnv("amqp_dlx_prefix", "DLX.");
-    // public static amqp_dlrk_prefix: string = Config.getEnv("amqp_dlrk_prefix", "dlx.");
-    // public static amqp_dlq_prefix: string = Config.getEnv("amqp_dlq_prefix", "dlq.");
-    // public static amqp_message_ttl: number = parseInt(Config.getEnv("amqp_message_ttl", "20000"));
-
     public static baseurl(): string {
         var result: string = "";
         if (Config.tls_crt != '' && Config.tls_key != '') {
@@ -171,13 +159,6 @@ export class Config {
         } else { result = result + "/"; }
         return result;
     }
-    // public static async get_login_providers():Promise<void> {
-    //     this.login_providers = await Config.db.query<Provider>({_type: "provider"}, null, 1, 0, null, "config", Crypt.rootToken());
-    //     // if(this.login_providers.length > 0) { return; }
-    //     if(fs.existsSync("config/login_providers.json")) {
-    //         // this.login_providers = JSON.parse(fs.readFileSync("config/login_providers.json", "utf8"));
-    //     }
-    // }
     public static getEnv(name: string, defaultvalue: string): string {
         var value: any = process.env[name];
         if (!value || value === "") { value = defaultvalue; }
diff --git a/OpenFlow/src/DatabaseConnection.ts b/OpenFlow/src/DatabaseConnection.ts
@@ -350,7 +350,7 @@ export class DatabaseConnection {
         }
         for (var i: number = 0; i < arr.length; i++) { arr[i] = this.decryptentity(arr[i]); }
         DatabaseConnection.traversejsondecode(arr);
-        this._logger.debug("[" + user.username + "][" + collectionname + "] query gave " + arr.length + " results ");
+        if (Config.log_queries) this._logger.debug("[" + user.username + "][" + collectionname + "] query gave " + arr.length + " results ");
         return arr;
     }
     /**
diff --git a/OpenFlow/src/Messages/Message.ts b/OpenFlow/src/Messages/Message.ts
@@ -576,7 +576,28 @@ export class Message {
         }
         this.Send(cli);
     }
-
+    public static async DoSignin(cli: WebSocketServerClient, rawAssertion: string): Promise<TokenUser> {
+        var tuser: TokenUser;
+        var user: User;
+        var type: string = "jwtsignin";
+        if (!NoderedUtil.IsNullEmpty(rawAssertion)) {
+            type = "samltoken";
+            user = await LoginProvider.validateToken(rawAssertion);
+            tuser = TokenUser.From(user);
+        } else if (!NoderedUtil.IsNullEmpty(cli.jwt)) {
+            tuser = Crypt.verityToken(cli.jwt);
+            user = await DBHelper.FindByUsername(tuser.username);
+            tuser = TokenUser.From(user);
+        }
+        if (user.disabled) {
+            Audit.LoginFailed(tuser.username, type, "websocket", cli.remoteip, cli.clientagent, cli.clientversion);
+            tuser = null;
+            // cli._logger.debug("Disabled user " + tuser.username + " failed logging in using " + type);
+        } else {
+            Audit.LoginSuccess(tuser, type, "websocket", cli.remoteip, cli.clientagent, cli.clientversion);
+        }
+        return tuser;
+    }
     private async Signin(cli: WebSocketServerClient): Promise<void> {
         this.Reply();
         var msg: SigninMessage
diff --git a/OpenFlow/src/WebSocketServer.ts b/OpenFlow/src/WebSocketServer.ts
@@ -6,7 +6,7 @@ import { DatabaseConnection } from "./DatabaseConnection";
 import { Crypt } from "./Crypt";
 import { Message } from "./Messages/Message";
 import { Config } from "./Config";
-import { SigninMessage, NoderedUtil } from "openflow-api";
+import { SigninMessage, NoderedUtil, TokenUser } from "openflow-api";
 
 export class WebSocketServer {
     private static _logger: winston.Logger;
@@ -36,22 +36,26 @@ export class WebSocketServer {
     }
     private static async pingClients(): Promise<void> {
         let count: number = WebSocketServer._clients.length;
-        WebSocketServer._clients = WebSocketServer._clients.filter(function (cli: WebSocketServerClient): boolean {
+        for (var i = WebSocketServer._clients.length - 1; i >= 0; i--) {
+            var cli: WebSocketServerClient = WebSocketServer._clients[i];
             try {
                 if (!NoderedUtil.IsNullEmpty(cli.jwt)) {
-                    var tuser = Crypt.verityToken(cli.jwt);
                     var payload = Crypt.decryptToken(cli.jwt);
                     var clockTimestamp = Math.floor(Date.now() / 1000);
-                    // WebSocketServer._logger.silly((payload.exp - clockTimestamp))
                     if ((payload.exp - clockTimestamp) < 60) {
-                        WebSocketServer._logger.debug("Token for " + tuser.username + " expires in less than 1 minute, send new jwt to client");
-                        var l: SigninMessage = new SigninMessage();
-                        cli.jwt = Crypt.createToken(tuser, Config.shorttoken_expires_in);
-                        l.jwt = cli.jwt;
-                        l.user = tuser;
-                        var m: Message = new Message(); m.command = "refreshtoken";
-                        m.data = JSON.stringify(l);
-                        cli.Send(m);
+                        WebSocketServer._logger.debug("Token for " + cli.id + "/" + cli.user.name + "/" + cli.clientagent + " expires in less than 1 minute, send new jwt to client");
+                        var tuser: TokenUser = await Message.DoSignin(cli, null);
+                        if (tuser != null) {
+                            var l: SigninMessage = new SigninMessage();
+                            cli.jwt = Crypt.createToken(tuser, Config.shorttoken_expires_in);
+                            l.jwt = cli.jwt;
+                            l.user = tuser;
+                            var m: Message = new Message(); m.command = "refreshtoken";
+                            m.data = JSON.stringify(l);
+                            cli.Send(m);
+                        } else {
+                            cli.Close();
+                        }
                     }
                 }
             } catch (error) {
@@ -62,17 +66,22 @@ export class WebSocketServer {
             var seconds = (now.getTime() - cli.lastheartbeat.getTime()) / 1000;
             if (seconds >= Config.client_heartbeat_timeout) {
                 if (cli.user != null) {
-                    WebSocketServer._logger.info("client " + cli.user.name + "/" + cli.clientagent + " timeout, close down");
+                    WebSocketServer._logger.info("client " + cli.id + "/" + cli.user.name + "/" + cli.clientagent + " timeout, close down");
                 } else {
-                    WebSocketServer._logger.info("client not signed/" + cli.clientagent + " timeout, close down");
+                    WebSocketServer._logger.info("client not signed/" + cli.id + "/" + cli.clientagent + " timeout, close down");
                 }
                 cli.Close();
-                return false;
             }
             cli.ping();
-            if (!cli.connected() && cli.queuecount() == 0) return false;
-            return true;
-        });
+            if (!cli.connected() && cli.queuecount() == 0) {
+                if (cli.user != null) {
+                    WebSocketServer._logger.info("removing disconnected client " + cli.id + "/" + cli.user.name + "/" + cli.clientagent);
+                } else {
+                    WebSocketServer._logger.info("removing disconnected client " + cli.id + "/" + cli.clientagent + " timeout, close down");
+                }
+                WebSocketServer._clients.splice(i, 1);
+            }
+        }
         if (count !== WebSocketServer._clients.length) {
             WebSocketServer._logger.info("new client count: " + WebSocketServer._clients.length);
         }
diff --git a/OpenFlow/src/WebSocketServerClient.ts b/OpenFlow/src/WebSocketServerClient.ts
@@ -46,7 +46,7 @@ export class WebSocketServerClient {
         if ((socketObject as any)._socket != undefined) {
             this.remoteip = (socketObject as any)._socket.remoteAddress;
         }
-        logger.info("new client ");;
+        logger.info("new client " + this.id);;
         socketObject.on("open", (e: Event): void => this.open(e));
         socketObject.on("message", (e: string): void => this.message(e)); // e: MessageEvent
         socketObject.on("error", (e: Event): void => this.error(e));
diff --git a/OpenFlow/src/public/WebSocketClientService.ts b/OpenFlow/src/public/WebSocketClientService.ts
@@ -86,6 +86,7 @@ export class WebSocketClientService {
                 console.log(error);
                 try {
                     document.write(error);
+                    document.write("<br/><a href=\"/Signout\">Signout</a>");
                 } catch (error) {
 
                 }
@@ -126,7 +127,8 @@ export class WebSocketClientService {
         info(msg) { console.log(msg); },
         verbose(msg) { console.debug(msg); },
         error(msg) { console.error(msg); },
-        debug(msg) { console.debug(msg); }
+        debug(msg) { console.debug(msg); },
+        silly(msg) { console.debug(msg); }
     }
     public user: TokenUser = null;
     public jwt: string = null;
diff --git a/OpenFlowNodeRED/package.json b/OpenFlowNodeRED/package.json
@@ -37,7 +37,7 @@
     "morgan": "^1.10.0",
     "node-red": "^1.1.2",
     "node-red-node-email": "^1.7.8",
-    "openflow-api": "^1.0.16",
+    "openflow-api": "^1.0.17",
     "os-service": "^2.2.0",
     "passport-saml": "^1.3.4",
     "passport-saml-metadata": "^2.3.0",
diff --git a/package.json b/package.json
@@ -58,7 +58,7 @@
     "morgan": "^1.10.0",
     "multer": "^1.4.2",
     "multer-gridfs-storage": "^4.2.0",
-    "openflow-api": "^1.0.16",
+    "openflow-api": "^1.0.17",
     "os-service": "^2.2.0",
     "passport": "^0.4.1",
     "passport-google-oauth20": "^2.0.0",

Original file line number	Diff line number	Diff line change
`@@ -350,7 +350,7 @@ export class DatabaseConnection {`
`350`	`350`	`}`
`351`	`351`	`for (var i: number = 0; i < arr.length; i++) { arr[i] = this.decryptentity(arr[i]); }`
`352`	`352`	`DatabaseConnection.traversejsondecode(arr);`
`353`		`- this._logger.debug("[" + user.username + "][" + collectionname + "] query gave " + arr.length + " results ");`
	`353`	`+ if (Config.log_queries) this._logger.debug("[" + user.username + "][" + collectionname + "] query gave " + arr.length + " results ");`
`354`	`354`	`return arr;`
`355`	`355`	`}`
`356`	`356`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ export class WebSocketServerClient {`
`46`	`46`	`if ((socketObject as any)._socket != undefined) {`
`47`	`47`	`this.remoteip = (socketObject as any)._socket.remoteAddress;`
`48`	`48`	`}`
`49`		`- logger.info("new client ");;`
	`49`	`+ logger.info("new client " + this.id);;`
`50`	`50`	`socketObject.on("open", (e: Event): void => this.open(e));`
`51`	`51`	`socketObject.on("message", (e: string): void => this.message(e)); // e: MessageEvent`
`52`	`52`	`socketObject.on("error", (e: Event): void => this.error(e));`