m2m implementation

.circleci/config.yml

@@ -82,7 +82,7 @@ workflows:
       - "build-dev":
           filters:
             branches:
-              only: dev
+              only: ['dev','feature/m2mtoken-support']
       - "build-prod":
           filters:
             branches:

common/helper.js

@@ -189,10 +189,19 @@ function validateEventPayload (event) {
   }
 }
 
+function verifyTokenScope(req, scope) {
+  const isMachineToken = _.get(req, 'authUser.isMachine', false);
+  const scopes = _.get(req, 'authUser.scopes', []);
+  if (isMachineToken && !(_.indexOf(scopes, scope) >= 0)) {
+    throw createError.Unauthorized("Check your token scope.")
+  }
+}
+
 module.exports = {
   buildService,
   verifyJwtToken,
   signJwtToken,
   validateEvent,
-  validateEventPayload
+  validateEventPayload,
+  verifyTokenScope
 }

config/default.js

@@ -14,9 +14,8 @@ module.exports = {
   KAFKA_TOPIC_PREFIX: process.env.KAFKA_TOPIC_PREFIX || '',
   ALLOWED_SERVICES: process.env.ALLOWED_SERVICES || ['project-service', 'message-service'],
   TC_EMAIL_SERVICE_URL: process.env.TC_EMAIL_SERVICE_URL,
-  TC_EMAIL_SERVICE_TOKEN: process.env.TC_EMAIL_SERVICE_TOKEN,
   TC_EMAIL_SERVICE_CACHE_PERIOD: process.env.TC_EMAIL_SERVICE_CACHE_PERIOD || (3600 * 1000),
-  
+
   // Configuration for generating machine to machine auth0 token.
   // The token will be used for calling another internal API.
   AUTH0_URL: process.env.AUTH0_URL || '',
@@ -26,4 +25,8 @@ module.exports = {
   TOKEN_CACHE_TIME: process.env.TOKEN_CACHE_TIME || 86400000,
   AUTH0_CLIENT_ID: process.env.AUTH0_CLIENT_ID,
   AUTH0_CLIENT_Secret: process.env.AUTH0_CLIENT_SECRET,
+  SCOPES: {
+    "writeBusApi": "write:bus_api",
+    "readBusTopics": "read:bus_topics"
+  }
 }

controllers/EventController.js

@@ -2,6 +2,8 @@
  * The Event controller.
  */
 const MessageBusService = require('../services/MessageBusService')
+const helper = require('../common/helper')
+const config = require('config')
 
 /**
  * Create a new event.
@@ -11,6 +13,7 @@ const MessageBusService = require('../services/MessageBusService')
  * @param {Function} next the next middleware
  */
 async function create (req, res, next) {
+  helper.verifyTokenScope(req, config.SCOPES.writeBusApi)
   await MessageBusService.postEvent(req.body)
   res.status(204).end()
   next()

controllers/TopicController.js

@@ -2,6 +2,8 @@
  * The Topic controller.
  */
 const MessageBusService = require('../services/MessageBusService')
+const helper = require('../common/helper')
+const config = require('config')
 
 /**
  * Get all topic names.
@@ -11,6 +13,7 @@ const MessageBusService = require('../services/MessageBusService')
  * @param {Function} next the next middleware
  */
 async function getAll (req, res, next) {
+  helper.verifyTokenScope(req, config.SCOPES.readBusTopics)
   const topics = await MessageBusService.getAllTopics()
   res.send(topics)
   next()

deploy.sh

@@ -49,7 +49,6 @@ AUTH_DOMAIN=$(eval "echo \$${ENV}_AUTH_DOMAIN")
 VALID_ISSUERS=$(eval "echo \$${ENV}_VALID_ISSUERS")
 
 TC_EMAIL_SERVICE_URL=$(eval "echo \$${ENV}_TC_EMAIL_SERVICE_URL")
-TC_EMAIL_SERVICE_TOKEN=$(eval "echo \$${ENV}_TC_EMAIL_SERVICE_TOKEN")
 
 AUTH0_URL=$(eval "echo \$${ENV}_AUTH0_URL")
 AUTH0_AUDIENCE=$(eval "echo \$${ENV}_AUTH0_AUDIENCE")
@@ -157,10 +156,6 @@ make_task_def(){
 						"name": "TC_EMAIL_SERVICE_URL",
 						"value": "%s"
 					    },
-{
-						"name": "TC_EMAIL_SERVICE_TOKEN",
-						"value": "%s"
-					    },
 					    {
 						"name": "AUTH0_URL",
 						"value": "%s"
@@ -200,7 +195,7 @@ make_task_def(){
 		}
 	]'
 
-	task_def=$(printf "$task_template" $AWS_ECS_CONTAINER_NAME $AWS_ACCOUNT_ID $AWS_REGION $AWS_REPOSITORY $TAG $ENV $KAFKA_URL "$KAFKA_CLIENT_CERT" "$KAFKA_CLIENT_CERT_KEY" $LOG_LEVEL $JWT_TOKEN_SECRET "$KAFKA_TOPIC_PREFIX" "$ALLOWED_SERVICES" $JWT_TOKEN_EXPIRES_IN "$API_VERSION" $PORT "$AUTH_DOMAIN" "$VALID_ISSUERS" $TC_EMAIL_SERVICE_URL $TC_EMAIL_SERVICE_TOKEN "$AUTH0_URL" "$AUTH0_AUDIENCE" $AUTH0_CLIENT_ID "$AUTH0_CLIENT_SECRET" $TOKEN_CACHE_TIME $AWS_ECS_CLUSTER $AWS_REGION $AWS_ECS_CLUSTER $ENV)
+	task_def=$(printf "$task_template" $AWS_ECS_CONTAINER_NAME $AWS_ACCOUNT_ID $AWS_REGION $AWS_REPOSITORY $TAG $ENV $KAFKA_URL "$KAFKA_CLIENT_CERT" "$KAFKA_CLIENT_CERT_KEY" $LOG_LEVEL $JWT_TOKEN_SECRET "$KAFKA_TOPIC_PREFIX" "$ALLOWED_SERVICES" $JWT_TOKEN_EXPIRES_IN "$API_VERSION" $PORT "$AUTH_DOMAIN" "$VALID_ISSUERS" $TC_EMAIL_SERVICE_URL "$AUTH0_URL" "$AUTH0_AUDIENCE" $AUTH0_CLIENT_ID "$AUTH0_CLIENT_SECRET" $TOKEN_CACHE_TIME $AWS_ECS_CLUSTER $AWS_REGION $AWS_ECS_CLUSTER $ENV)
 }
 
 register_definition() {

services/PlaceholderService.js

@@ -6,24 +6,32 @@ const Joi = require('joi')
 const config = require('config')
 const request = require('superagent')
 const cache = require('memory-cache')
+const tcCoreLibAuth = require('tc-core-library-js').auth
+const m2m = tcCoreLibAuth.m2m(config)
+
 
 /**
  * Get all email template placeholders name.
  *
  * @returns {Array} list with email template placeholders name
  */
-async function getAllPlaceholders (name) {
+async function getAllPlaceholders(name) {
   const cachedData = cache.get(`placeholders-${name}`)
   if (cachedData == null) {
-    const data = await request
-      .get(`${config.TC_EMAIL_SERVICE_URL}/templates/${name}`)
-      .set('accept', 'json')
-      .set('authorization', `Bearer ${config.TC_EMAIL_SERVICE_TOKEN}`)
-    const parsedData = JSON.parse(data.text)
-
-    cache.put(`placeholders-${name}`, parsedData, config.TC_EMAIL_SERVICE_CACHE_PERIOD)
-
-    return parsedData
+    try {
+      const token = await m2m.getMachineToken(config.AUTH0_CLIENT_ID, config.AUTH0_CLIENT_SECRET)
+      const data = await request
+        .get(`${config.TC_EMAIL_SERVICE_URL}/templates/${name}`)
+        .set('accept', 'json')
+        .set('authorization', `Bearer ${token}`)
+      const parsedData = JSON.parse(data.text)
+
+      cache.put(`placeholders-${name}`, parsedData, config.TC_EMAIL_SERVICE_CACHE_PERIOD)
+
+      return parsedData
+    } catch (err) {
+      console.log(`Error generating m2m token: ${err.message}`)
+    }
   }
 
   return cachedData