Skip to content

Commit fa8f64e

Browse files
skadefroskadefro
committed
bump
1 parent 9cb2ec1 commit fa8f64e

7 files changed

Lines changed: 118 additions & 16 deletions

File tree

OpenFlow/src/Config.ts

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,8 @@ export class Config {
2222
public static tls_passphrase: string = Config.getEnv("tls_passphrase", "");
2323

2424

25+
public static update_acl_based_on_groups: boolean = Config.parseBoolean(Config.getEnv("update_acl_based_on_groups", "false"));
26+
public static multi_tenant: boolean = Config.parseBoolean(Config.getEnv("multi_tenant", "false"));
2527
public static api_bypass_perm_check: boolean = Config.parseBoolean(Config.getEnv("api_bypass_perm_check", "false"));
2628
public static websocket_package_size: number = parseInt(Config.getEnv("websocket_package_size", "4096"), 10);
2729
public static websocket_max_package_count: number = parseInt(Config.getEnv("websocket_max_package_count", "1024"), 10);

OpenFlow/src/DatabaseConnection.ts

Lines changed: 103 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ import { Crypt } from "./Crypt";
88
import { Config } from "./Config";
99
import { TokenUser } from "./TokenUser";
1010
import { Ace } from "./Ace";
11-
import { Role } from "./Role";
11+
import { Role, Rolemember } from "./Role";
1212
import { UpdateOneMessage } from "./Messages/UpdateOneMessage";
1313
import { UpdateManyMessage } from "./Messages/UpdateManyMessage";
1414
import { InsertOrUpdateOneMessage } from "./Messages/InsertOrUpdateOneMessage";
@@ -81,21 +81,98 @@ export class DatabaseConnection {
8181
}
8282
return item;
8383
}
84-
async Cleanmembers<T extends Role>(item: T): Promise<T> {
85-
for (var i = item.members.length - 1; i >= 0; i--) {
86-
{
84+
async Cleanmembers<T extends Role>(item: T, original: T): Promise<T> {
85+
var removed: Rolemember[] = [];
86+
if (original != null && Config.update_acl_based_on_groups == true) {
87+
for (var i = original.members.length - 1; i >= 0; i--) {
8788
var ace = item.members[i];
8889
var exists = item.members.filter(x => x._id == ace._id);
89-
if (exists.length > 1) {
90-
item.members.splice(i, 1);
91-
} else {
92-
var arr = await this.db.collection("users").find({ _id: ace._id }).project({ name: 1 }).limit(1).toArray();
93-
if (arr.length == 0) {
90+
if (exists.length == 0) {
91+
removed.push(ace);
92+
}
93+
}
94+
}
95+
var doadd: boolean = true;
96+
var multi_tenant_skip: string[] = [WellknownIds.users, WellknownIds.filestore_users,
97+
WellknownIds.nodered_api_users, WellknownIds.nodered_users, WellknownIds.personal_nodered_users,
98+
WellknownIds.robot_users, , WellknownIds.robots];
99+
if (item._id == WellknownIds.users && Config.multi_tenant) {
100+
doadd = false;
101+
}
102+
if (doadd) {
103+
for (var i = item.members.length - 1; i >= 0; i--) {
104+
{
105+
var ace = item.members[i];
106+
var exists = item.members.filter(x => x._id == ace._id);
107+
if (exists.length > 1) {
94108
item.members.splice(i, 1);
95-
} else { ace.name = arr[0].name; }
109+
} else {
110+
var arr = await this.db.collection("users").find({ _id: ace._id }).project({ name: 1, _acl: 1, _type: 1 }).limit(1).toArray();
111+
if (arr.length == 0) {
112+
item.members.splice(i, 1);
113+
}
114+
else if (Config.update_acl_based_on_groups == true) {
115+
ace.name = arr[0].name;
116+
if (Config.multi_tenant && multi_tenant_skip.indexOf(item._id) > -1) {
117+
// when multi tenant don't allow members of common user groups to see each other
118+
console.log("Running in multi tenant mode, skip adding permissions for " + item.name);
119+
} else if (arr[0]._type == "user") {
120+
var u: User = User.assign(arr[0]);
121+
if (u.getRight(item._id) == null) {
122+
console.log("Assigning " + item.name + " read permission to " + u.name);
123+
u.addRight(item._id, item.name, [Rights.read], false);
124+
// await this.db.collection("users").save(u);
125+
} else if (u._id != item._id) {
126+
console.log(item.name + " allready exists on " + u.name);
127+
}
128+
} else if (arr[0]._type == "role") {
129+
var r: Role = Role.assign(arr[0]);
130+
if (r._id == WellknownIds.admins || r._id == WellknownIds.users) {
131+
}
132+
if (r.getRight(item._id) == null) {
133+
console.log("Assigning " + item.name + " read permission to " + r.name);
134+
r.addRight(item._id, item.name, [Rights.read], false);
135+
// await this.db.collection("users").save(r);
136+
} else if (r._id != item._id) {
137+
console.log(item.name + " allready exists on " + r.name);
138+
}
139+
140+
}
141+
}
142+
}
96143
}
97144
}
98145
}
146+
147+
for (var i = removed.length - 1; i >= 0; i--) {
148+
var ace = removed[i];
149+
var arr = await this.db.collection("users").find({ _id: ace._id }).project({ name: 1, _acl: 1, _type: 1 }).limit(1).toArray();
150+
if (arr.length == 1 && item._id != WellknownIds.admins && item._id != WellknownIds.root) {
151+
if (Config.multi_tenant && multi_tenant_skip.indexOf(item._id) > -1) {
152+
// when multi tenant don't allow members of common user groups to see each other
153+
console.log("Running in multi tenant mode, skip removing permissions for " + item.name);
154+
} else if (arr[0]._type == "user") {
155+
var u: User = User.assign(arr[0]);
156+
if (u.getRight(item._id) != null) {
157+
console.log("Removing " + item.name + " read permissions from " + u.name);
158+
u.removeRight(item._id, [Rights.read]);
159+
// await this.db.collection("users").save(u);
160+
} else {
161+
console.log("No need to remove " + item.name + " read permissions from " + u.name);
162+
}
163+
} else if (arr[0]._type == "role") {
164+
var r: Role = Role.assign(arr[0]);
165+
if (r.getRight(item._id) != null) {
166+
console.log("Removing " + item.name + " read permissions from " + r.name);
167+
r.removeRight(item._id, [Rights.read]);
168+
// await this.db.collection("users").save(r);
169+
} else {
170+
console.log("No need to remove " + item.name + " read permissions from " + u.name);
171+
}
172+
}
173+
174+
}
175+
}
99176
return item;
100177
}
101178

@@ -358,7 +435,7 @@ export class DatabaseConnection {
358435

359436
item = await this.CleanACL(item);
360437
if (item._type === "role" && collectionname === "users") {
361-
item = await this.Cleanmembers(item as any);
438+
item = await this.Cleanmembers(item as any, null);
362439
}
363440

364441
// var options:CollectionInsertOneOptions = { writeConcern: { w: parseInt((w as any)), j: j } };
@@ -556,7 +633,7 @@ export class DatabaseConnection {
556633
(q.item as any).metadata = await this.CleanACL((q.item as any).metadata);
557634
}
558635
if (q.item._type === "role" && q.collectionname === "users") {
559-
q.item = await this.Cleanmembers(q.item as any);
636+
q.item = await this.Cleanmembers(q.item as any, original);
560637
}
561638

562639
if (q.collectionname != "fs.files") {
@@ -867,6 +944,20 @@ export class DatabaseConnection {
867944
// this._logger.debug("[" + user.username + "] Skip isme in base query, not read (" + bits[0] + ")");
868945
// } else {
869946
// this._logger.debug("[" + user.username + "] Skip isme in base query, bits missing!");
947+
// }
948+
// if(bits.length==1 && (bits[0]+1) == Rights.read)
949+
// {
950+
// for (var i: number = 0; i < user.roles.length; i++) {
951+
// var role = user.roles[i];
952+
// if(role._id!=WellknownIds.admins && role._id!=WellknownIds.robots && role._id!=WellknownIds.nodered_users &&
953+
// role._id!=WellknownIds.nodered_admins && role._id!=WellknownIds.nodered_api_users && role._id!=WellknownIds.filestore_users &&
954+
// role._id!=WellknownIds.filestore_admins && role._id!=WellknownIds.robot_users && role._id!=WellknownIds.robot_admins
955+
// && role._id!=WellknownIds.personal_nodered_users)
956+
// {
957+
958+
// }
959+
// }
960+
870961
// }
871962
return { $or: finalor.concat() };
872963
}

OpenFlow/src/Messages/Message.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -742,6 +742,7 @@ export class Message {
742742
{ name: "api_ws_url", value: Config.api_ws_url },
743743
{ name: "amqp_url", value: Config.amqp_url },
744744
{ name: "nodered_domain_schema", value: hostname },
745+
{ name: "domain", value: hostname }
745746
{ name: "protocol", value: Config.protocol },
746747
{ name: "port", value: Config.port.toString() },
747748
{ name: "noderedusers", value: (name + "noderedusers") },

OpenFlow/src/index.ts

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -54,13 +54,15 @@ async function initDatabase(): Promise<boolean> {
5454
users.addRight(WellknownIds.admins, "admins", [Rights.full_control]);
5555
users.removeRight(WellknownIds.admins, [Rights.delete]);
5656
users.AddMember(root);
57+
if (users.getRight(users._id) && Config.multi_tenant) users.removeRight(users._id, [Rights.full_control])
5758
await users.Save(jwt);
5859

5960

6061
var personal_nodered_users: Role = await User.ensureRole(jwt, "personal nodered users", WellknownIds.personal_nodered_users);
6162
personal_nodered_users.AddMember(admins);
6263
personal_nodered_users.addRight(WellknownIds.admins, "admins", [Rights.full_control]);
6364
personal_nodered_users.removeRight(WellknownIds.admins, [Rights.delete]);
65+
if (personal_nodered_users.getRight(personal_nodered_users._id) && Config.multi_tenant) personal_nodered_users.removeRight(personal_nodered_users._id, [Rights.full_control])
6466
await personal_nodered_users.Save(jwt);
6567
var nodered_admins: Role = await User.ensureRole(jwt, "nodered admins", WellknownIds.nodered_admins);
6668
nodered_admins.AddMember(admins);
@@ -71,11 +73,13 @@ async function initDatabase(): Promise<boolean> {
7173
nodered_users.AddMember(admins);
7274
nodered_users.addRight(WellknownIds.admins, "admins", [Rights.full_control]);
7375
nodered_users.removeRight(WellknownIds.admins, [Rights.delete]);
76+
if (nodered_users.getRight(nodered_users._id) && Config.multi_tenant) nodered_users.removeRight(nodered_users._id, [Rights.full_control])
7477
await nodered_users.Save(jwt);
7578
var nodered_api_users: Role = await User.ensureRole(jwt, "nodered api users", WellknownIds.nodered_api_users);
7679
nodered_api_users.AddMember(admins);
7780
nodered_api_users.addRight(WellknownIds.admins, "admins", [Rights.full_control]);
7881
nodered_api_users.removeRight(WellknownIds.admins, [Rights.delete]);
82+
if (nodered_api_users.getRight(nodered_api_users._id) && Config.multi_tenant) nodered_api_users.removeRight(nodered_api_users._id, [Rights.full_control])
7983
await nodered_api_users.Save(jwt);
8084

8185
var robot_admins: Role = await User.ensureRole(jwt, "robot admins", WellknownIds.robot_admins);
@@ -88,6 +92,7 @@ async function initDatabase(): Promise<boolean> {
8892
robot_users.AddMember(users);
8993
robot_users.addRight(WellknownIds.admins, "admins", [Rights.full_control]);
9094
robot_users.removeRight(WellknownIds.admins, [Rights.delete]);
95+
if (robot_users.getRight(robot_users._id) && Config.multi_tenant) robot_users.removeRight(robot_users._id, [Rights.full_control])
9196
await robot_users.Save(jwt);
9297

9398
if (!admins.IsMember(root._id)) {
@@ -99,15 +104,18 @@ async function initDatabase(): Promise<boolean> {
99104
filestore_admins.AddMember(admins);
100105
filestore_admins.addRight(WellknownIds.admins, "admins", [Rights.full_control]);
101106
filestore_admins.removeRight(WellknownIds.admins, [Rights.delete]);
107+
if (filestore_admins.getRight(filestore_admins._id) && Config.multi_tenant) filestore_admins.removeRight(filestore_admins._id, [Rights.full_control])
102108
await filestore_admins.Save(jwt);
103109
var filestore_users: Role = await User.ensureRole(jwt, "filestore users", WellknownIds.filestore_users);
104110
filestore_users.AddMember(admins);
105111
filestore_users.AddMember(users);
106112
filestore_users.addRight(WellknownIds.admins, "admins", [Rights.full_control]);
107113
filestore_users.removeRight(WellknownIds.admins, [Rights.delete]);
114+
if (filestore_users.getRight(filestore_users._id) && Config.multi_tenant) filestore_users.removeRight(filestore_users._id, [Rights.full_control])
108115
await filestore_users.Save(jwt);
109116

110117

118+
111119
// Temp hack to update all existing users and roles
112120
// var _users = await Config.db.query<Role>({ $or: [{ _type: "user" }, { _type: "role" }] }, null, 1000, 0, null, "users", jwt);
113121
// for (var i = 0; i < _users.length; i++) {

OpenFlow/src/public/Controllers.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2272,7 +2272,7 @@ module openflow {
22722272
delete this.model[key];
22732273
}
22742274
});
2275-
this.models = await this.api.Query(this.collection + "_hist", { id: this.id }, null, { _version: -1 });
2275+
this.models = await this.api.Query(this.collection + "_hist", { id: this.id }, null, this.orderby);
22762276
if (!this.$scope.$$phase) { this.$scope.$apply(); }
22772277
}
22782278
CompareNow(model) {

VERSION

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
0.0.393
1+
0.0.394

package.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@
2222
"@types/angular": "^1.6.55",
2323
"@types/angular-route": "^1.7.0",
2424
"@types/jquery": "^3.3.30",
25-
"@types/mongodb": "^3.1.28",
25+
"@types/mongodb": "^3.3.12",
2626
"@types/passport": "^1.0.0",
2727
"amqplib": "^0.5.3",
2828
"angular-chart.js": "^1.1.1",
@@ -52,7 +52,7 @@
5252
"jsondiffpatch": "^0.3.11",
5353
"jsonwebtoken": "^8.5.1",
5454
"mimetype": "0.0.8",
55-
"mongodb": "^3.2.7",
55+
"mongodb": "^3.3.5",
5656
"morgan": "^1.9.1",
5757
"multer": "^1.4.2",
5858
"multer-gridfs-storage": "^3.3.0",

0 commit comments

Comments
 (0)