From b7bd6212c518ce4b754d1a49064d119fb6ff95c8 Mon Sep 17 00:00:00 2001 From: Sachin Maheshwari Date: Mon, 14 May 2018 14:33:36 +0530 Subject: [PATCH 1/3] deprecating static email token. --- .circleci/config.yml | 2 +- config/default.js | 1 - deploy.sh | 7 +------ services/PlaceholderService.js | 28 ++++++++++++++++++---------- 4 files changed, 20 insertions(+), 18 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index ab6d140..d0b6a98 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -82,7 +82,7 @@ workflows: - "build-dev": filters: branches: - only: dev + only: ['dev','feature/m2mtoken-support'] - "build-prod": filters: branches: diff --git a/config/default.js b/config/default.js index 972c3c4..d0ee583 100644 --- a/config/default.js +++ b/config/default.js @@ -14,7 +14,6 @@ module.exports = { KAFKA_TOPIC_PREFIX: process.env.KAFKA_TOPIC_PREFIX || '', ALLOWED_SERVICES: process.env.ALLOWED_SERVICES || ['project-service', 'message-service'], TC_EMAIL_SERVICE_URL: process.env.TC_EMAIL_SERVICE_URL, - TC_EMAIL_SERVICE_TOKEN: process.env.TC_EMAIL_SERVICE_TOKEN, TC_EMAIL_SERVICE_CACHE_PERIOD: process.env.TC_EMAIL_SERVICE_CACHE_PERIOD || (3600 * 1000), // Configuration for generating machine to machine auth0 token. diff --git a/deploy.sh b/deploy.sh index 8d5afd4..60c7b78 100755 --- a/deploy.sh +++ b/deploy.sh @@ -49,7 +49,6 @@ AUTH_DOMAIN=$(eval "echo \$${ENV}_AUTH_DOMAIN") VALID_ISSUERS=$(eval "echo \$${ENV}_VALID_ISSUERS") TC_EMAIL_SERVICE_URL=$(eval "echo \$${ENV}_TC_EMAIL_SERVICE_URL") -TC_EMAIL_SERVICE_TOKEN=$(eval "echo \$${ENV}_TC_EMAIL_SERVICE_TOKEN") AUTH0_URL=$(eval "echo \$${ENV}_AUTH0_URL") AUTH0_AUDIENCE=$(eval "echo \$${ENV}_AUTH0_AUDIENCE") @@ -157,10 +156,6 @@ make_task_def(){ "name": "TC_EMAIL_SERVICE_URL", "value": "%s" }, -{ - "name": "TC_EMAIL_SERVICE_TOKEN", - "value": "%s" - }, { "name": "AUTH0_URL", "value": "%s" @@ -200,7 +195,7 @@ make_task_def(){ } ]' - task_def=$(printf "$task_template" $AWS_ECS_CONTAINER_NAME $AWS_ACCOUNT_ID $AWS_REGION $AWS_REPOSITORY $TAG $ENV $KAFKA_URL "$KAFKA_CLIENT_CERT" "$KAFKA_CLIENT_CERT_KEY" $LOG_LEVEL $JWT_TOKEN_SECRET "$KAFKA_TOPIC_PREFIX" "$ALLOWED_SERVICES" $JWT_TOKEN_EXPIRES_IN "$API_VERSION" $PORT "$AUTH_DOMAIN" "$VALID_ISSUERS" $TC_EMAIL_SERVICE_URL $TC_EMAIL_SERVICE_TOKEN "$AUTH0_URL" "$AUTH0_AUDIENCE" $AUTH0_CLIENT_ID "$AUTH0_CLIENT_SECRET" $TOKEN_CACHE_TIME $AWS_ECS_CLUSTER $AWS_REGION $AWS_ECS_CLUSTER $ENV) + task_def=$(printf "$task_template" $AWS_ECS_CONTAINER_NAME $AWS_ACCOUNT_ID $AWS_REGION $AWS_REPOSITORY $TAG $ENV $KAFKA_URL "$KAFKA_CLIENT_CERT" "$KAFKA_CLIENT_CERT_KEY" $LOG_LEVEL $JWT_TOKEN_SECRET "$KAFKA_TOPIC_PREFIX" "$ALLOWED_SERVICES" $JWT_TOKEN_EXPIRES_IN "$API_VERSION" $PORT "$AUTH_DOMAIN" "$VALID_ISSUERS" $TC_EMAIL_SERVICE_URL "$AUTH0_URL" "$AUTH0_AUDIENCE" $AUTH0_CLIENT_ID "$AUTH0_CLIENT_SECRET" $TOKEN_CACHE_TIME $AWS_ECS_CLUSTER $AWS_REGION $AWS_ECS_CLUSTER $ENV) } register_definition() { diff --git a/services/PlaceholderService.js b/services/PlaceholderService.js index cce72f6..88292fe 100644 --- a/services/PlaceholderService.js +++ b/services/PlaceholderService.js @@ -6,24 +6,32 @@ const Joi = require('joi') const config = require('config') const request = require('superagent') const cache = require('memory-cache') +const tcCoreLibAuth = require('tc-core-library-js').auth +const m2m = tcCoreLibAuth.m2m(config) + /** * Get all email template placeholders name. * * @returns {Array} list with email template placeholders name */ -async function getAllPlaceholders (name) { +async function getAllPlaceholders(name) { const cachedData = cache.get(`placeholders-${name}`) if (cachedData == null) { - const data = await request - .get(`${config.TC_EMAIL_SERVICE_URL}/templates/${name}`) - .set('accept', 'json') - .set('authorization', `Bearer ${config.TC_EMAIL_SERVICE_TOKEN}`) - const parsedData = JSON.parse(data.text) - - cache.put(`placeholders-${name}`, parsedData, config.TC_EMAIL_SERVICE_CACHE_PERIOD) - - return parsedData + try { + const token = await m2m.getMachineToken(config.AUTH0_CLIENT_ID, config.AUTH0_CLIENT_SECRET) + const data = await request + .get(`${config.TC_EMAIL_SERVICE_URL}/templates/${name}`) + .set('accept', 'json') + .set('authorization', `Bearer ${token}`) + const parsedData = JSON.parse(data.text) + + cache.put(`placeholders-${name}`, parsedData, config.TC_EMAIL_SERVICE_CACHE_PERIOD) + + return parsedData + } catch (err) { + console.log(`Error generating m2m token: ${err.message}`) + } } return cachedData From eb2d0ef204e92d8eac68dbb305ee8274b8d5851f Mon Sep 17 00:00:00 2001 From: Sachin Maheshwari Date: Wed, 16 May 2018 18:19:23 +0530 Subject: [PATCH 2/3] checking scope - restricting to support only m2m token with specific scopes. --- .circleci/config.yml | 2 +- common/helper.js | 12 +++++++++++- config/default.js | 6 +++++- controllers/EventController.js | 3 +++ controllers/TopicController.js | 3 +++ 5 files changed, 23 insertions(+), 3 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index d0b6a98..747a1fa 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -82,7 +82,7 @@ workflows: - "build-dev": filters: branches: - only: ['dev','feature/m2mtoken-support'] + only: ['dev'] - "build-prod": filters: branches: diff --git a/common/helper.js b/common/helper.js index 091c045..c2249c3 100644 --- a/common/helper.js +++ b/common/helper.js @@ -189,10 +189,20 @@ function validateEventPayload (event) { } } +function verifyTokenScope(req, scope) { + const isMachineToken = _.get(req, 'authUser.isMachine', false); + const scopes = _.get(req, 'authUser.scopes', []); + if (isMachineToken && (_.indexOf(scopes, scope) >= 0)) { + return true; + } + throw createError.Unauthorized("Check your token scope.") +} + module.exports = { buildService, verifyJwtToken, signJwtToken, validateEvent, - validateEventPayload + validateEventPayload, + verifyTokenScope } diff --git a/config/default.js b/config/default.js index d0ee583..3aa2e07 100644 --- a/config/default.js +++ b/config/default.js @@ -15,7 +15,7 @@ module.exports = { ALLOWED_SERVICES: process.env.ALLOWED_SERVICES || ['project-service', 'message-service'], TC_EMAIL_SERVICE_URL: process.env.TC_EMAIL_SERVICE_URL, TC_EMAIL_SERVICE_CACHE_PERIOD: process.env.TC_EMAIL_SERVICE_CACHE_PERIOD || (3600 * 1000), - + // Configuration for generating machine to machine auth0 token. // The token will be used for calling another internal API. AUTH0_URL: process.env.AUTH0_URL || '', @@ -25,4 +25,8 @@ module.exports = { TOKEN_CACHE_TIME: process.env.TOKEN_CACHE_TIME || 86400000, AUTH0_CLIENT_ID: process.env.AUTH0_CLIENT_ID, AUTH0_CLIENT_Secret: process.env.AUTH0_CLIENT_SECRET, + SCOPES: { + "writeBusApi": "write:bus_api", + "readBusTopics": "read:bus_topics" + } } diff --git a/controllers/EventController.js b/controllers/EventController.js index cae3e0a..e3b614d 100644 --- a/controllers/EventController.js +++ b/controllers/EventController.js @@ -2,6 +2,8 @@ * The Event controller. */ const MessageBusService = require('../services/MessageBusService') +const helper = require('../common/helper') +const config = require('config') /** * Create a new event. @@ -11,6 +13,7 @@ const MessageBusService = require('../services/MessageBusService') * @param {Function} next the next middleware */ async function create (req, res, next) { + helper.verifyTokenScope(req, config.SCOPES.writeBusApi) await MessageBusService.postEvent(req.body) res.status(204).end() next() diff --git a/controllers/TopicController.js b/controllers/TopicController.js index 93138f9..b43f9c9 100644 --- a/controllers/TopicController.js +++ b/controllers/TopicController.js @@ -2,6 +2,8 @@ * The Topic controller. */ const MessageBusService = require('../services/MessageBusService') +const helper = require('../common/helper') +const config = require('config') /** * Get all topic names. @@ -11,6 +13,7 @@ const MessageBusService = require('../services/MessageBusService') * @param {Function} next the next middleware */ async function getAll (req, res, next) { + helper.verifyTokenScope(req, config.SCOPES.readBusTopics) const topics = await MessageBusService.getAllTopics() res.send(topics) next() From 03e7d0b29753431a3ada67f64b26d78dcf4e8eda Mon Sep 17 00:00:00 2001 From: Sachin Maheshwari Date: Thu, 17 May 2018 14:53:16 +0530 Subject: [PATCH 3/3] relaxing current static token support. --- .circleci/config.yml | 2 +- common/helper.js | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 747a1fa..d0b6a98 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -82,7 +82,7 @@ workflows: - "build-dev": filters: branches: - only: ['dev'] + only: ['dev','feature/m2mtoken-support'] - "build-prod": filters: branches: diff --git a/common/helper.js b/common/helper.js index c2249c3..a5a9b5e 100644 --- a/common/helper.js +++ b/common/helper.js @@ -192,10 +192,9 @@ function validateEventPayload (event) { function verifyTokenScope(req, scope) { const isMachineToken = _.get(req, 'authUser.isMachine', false); const scopes = _.get(req, 'authUser.scopes', []); - if (isMachineToken && (_.indexOf(scopes, scope) >= 0)) { - return true; + if (isMachineToken && !(_.indexOf(scopes, scope) >= 0)) { + throw createError.Unauthorized("Check your token scope.") } - throw createError.Unauthorized("Check your token scope.") } module.exports = {