prod - M2M support

.circleci/config.yml

@@ -82,7 +82,7 @@ workflows:
       - "build-dev":
           filters:
             branches:
-              only: dev
+              only: ['dev']
       - "build-prod":
           filters:
             branches:

common/helper.js

@@ -129,12 +129,10 @@ function signJwtToken (payload) {
 /**
  * Validate the event based on the source service, type, and message.
  *
- * @param {String} sourceServiceName the source service name
  * @param {Object} event the event
  */
-function validateEvent (sourceServiceName, event) {
+function validateEvent (event) {
   const schema = Joi.object().keys({
-    sourceServiceName: Joi.string().required(),
     event: Joi.object().keys({
       type: Joi
         .string()
@@ -146,7 +144,7 @@ function validateEvent (sourceServiceName, event) {
     })
   })
 
-  const { error } = Joi.validate({sourceServiceName, event}, schema)
+  const { error } = Joi.validate({event}, schema)
   if (error) {
     throw error
   }
@@ -191,10 +189,19 @@ function validateEventPayload (event) {
   }
 }
 
+function verifyTokenScope(req, scope) {
+  const isMachineToken = _.get(req, 'authUser.isMachine', false);
+  const scopes = _.get(req, 'authUser.scopes', []);
+  if (isMachineToken && !(_.indexOf(scopes, scope) >= 0)) {
+    throw createError.Unauthorized("Check your token scope.")
+  }
+}
+
 module.exports = {
   buildService,
   verifyJwtToken,
   signJwtToken,
   validateEvent,
-  validateEventPayload
+  validateEventPayload,
+  verifyTokenScope
 }

config/default.js

@@ -7,14 +7,26 @@ module.exports = {
   LOG_LEVEL: process.env.LOG_LEVEL || 'debug',
   CONTEXT_PATH: process.env.API_VERSION || '/eventbus/',
   PORT: process.env.PORT || '3000',
-  authSecret: process.env.JWT_TOKEN_SECRET,
-  authDomain: process.env.AUTH_DOMAIN,
-  validIssuers: process.env.VALID_ISSUERS ? process.env.VALID_ISSUERS.replace(/\\"/g, '') : null,
+  AUTH_SECRET: process.env.JWT_TOKEN_SECRET,
+  VALID_ISSUERS: process.env.VALID_ISSUERS ? process.env.VALID_ISSUERS.replace(/\\"/g, '') : null,
   JWT_TOKEN_SECRET: process.env.JWT_TOKEN_SECRET || '',
   JWT_TOKEN_EXPIRES_IN: process.env.JWT_TOKEN_EXPIRES_IN || '100 days',
   KAFKA_TOPIC_PREFIX: process.env.KAFKA_TOPIC_PREFIX || '',
   ALLOWED_SERVICES: process.env.ALLOWED_SERVICES || ['project-service', 'message-service'],
   TC_EMAIL_SERVICE_URL: process.env.TC_EMAIL_SERVICE_URL,
-  TC_EMAIL_SERVICE_TOKEN: process.env.TC_EMAIL_SERVICE_TOKEN,
-  TC_EMAIL_SERVICE_CACHE_PERIOD: process.env.TC_EMAIL_SERVICE_CACHE_PERIOD || (3600 * 1000)
+  TC_EMAIL_SERVICE_CACHE_PERIOD: process.env.TC_EMAIL_SERVICE_CACHE_PERIOD || (3600 * 1000),
+
+  // Configuration for generating machine to machine auth0 token.
+  // The token will be used for calling another internal API.
+  AUTH0_URL: process.env.AUTH0_URL || '',
+  AUTH0_AUDIENCE: process.env.AUTH0_AUDIENCE || '',
+  // The token will be cached.
+  // We define the time period of the cached token.
+  TOKEN_CACHE_TIME: process.env.TOKEN_CACHE_TIME || 86400000,
+  AUTH0_CLIENT_ID: process.env.AUTH0_CLIENT_ID,
+  AUTH0_CLIENT_Secret: process.env.AUTH0_CLIENT_SECRET,
+  SCOPES: {
+    "writeBusApi": "write:bus_api",
+    "readBusTopics": "read:bus_topics"
+  }
 }

controllers/EventController.js

@@ -2,6 +2,8 @@
  * The Event controller.
  */
 const MessageBusService = require('../services/MessageBusService')
+const helper = require('../common/helper')
+const config = require('config')
 
 /**
  * Create a new event.
@@ -11,7 +13,8 @@ const MessageBusService = require('../services/MessageBusService')
  * @param {Function} next the next middleware
  */
 async function create (req, res, next) {
-  await MessageBusService.postEvent(req.authUser.name, req.body)
+  helper.verifyTokenScope(req, config.SCOPES.writeBusApi)
+  await MessageBusService.postEvent(req.body)
   res.status(204).end()
   next()
 }

controllers/TopicController.js

@@ -2,6 +2,8 @@
  * The Topic controller.
  */
 const MessageBusService = require('../services/MessageBusService')
+const helper = require('../common/helper')
+const config = require('config')
 
 /**
  * Get all topic names.
@@ -11,6 +13,7 @@ const MessageBusService = require('../services/MessageBusService')
  * @param {Function} next the next middleware
  */
 async function getAll (req, res, next) {
+  helper.verifyTokenScope(req, config.SCOPES.readBusTopics)
   const topics = await MessageBusService.getAllTopics()
   res.send(topics)
   next()

deploy.sh

@@ -49,7 +49,12 @@ AUTH_DOMAIN=$(eval "echo \$${ENV}_AUTH_DOMAIN")
 VALID_ISSUERS=$(eval "echo \$${ENV}_VALID_ISSUERS")
 
 TC_EMAIL_SERVICE_URL=$(eval "echo \$${ENV}_TC_EMAIL_SERVICE_URL")
-TC_EMAIL_SERVICE_TOKEN=$(eval "echo \$${ENV}_TC_EMAIL_SERVICE_TOKEN")
+
+AUTH0_URL=$(eval "echo \$${ENV}_AUTH0_URL")
+AUTH0_AUDIENCE=$(eval "echo \$${ENV}_AUTH0_AUDIENCE")
+TOKEN_CACHE_TIME=$(eval "echo \$${ENV}_TOKEN_CACHE_TIME")
+AUTH0_CLIENT_ID=$(eval "echo \$${ENV}_AUTH0_CLIENT_ID")
+AUTH0_CLIENT_SECRET=$(eval "echo \$${ENV}_AUTH0_CLIENT_SECRET")
 
 echo $APP_NAME
 
@@ -147,14 +152,30 @@ make_task_def(){
 								"name": "VALID_ISSUERS",
 								"value": "%s"
 						},
-            {
-                "name": "TC_EMAIL_SERVICE_URL",
-                "value": "%s"
-            },
-            {
-                "name": "TC_EMAIL_SERVICE_TOKEN",
-                "value": "%s"
-            }
+					    {
+						"name": "TC_EMAIL_SERVICE_URL",
+						"value": "%s"
+					    },
+					    {
+						"name": "AUTH0_URL",
+						"value": "%s"
+					    },
+					    {
+						"name": "AUTH0_AUDIENCE",
+						"value": "%s"
+					    },
+					    {
+						"name": "AUTH0_CLIENT_ID",
+						"value": "%s"
+					    },
+					    {
+						"name": "AUTH0_CLIENT_SECRET",
+						"value": "%s"
+					    },
+					    {
+						"name": "TOKEN_CACHE_TIME",
+						"value": "%s"
+					    }
 				],
 				"portMappings": [
 						{
@@ -174,7 +195,7 @@ make_task_def(){
 		}
 	]'
 
-	task_def=$(printf "$task_template" $AWS_ECS_CONTAINER_NAME $AWS_ACCOUNT_ID $AWS_REGION $AWS_REPOSITORY $TAG $ENV $KAFKA_URL "$KAFKA_CLIENT_CERT" "$KAFKA_CLIENT_CERT_KEY" $LOG_LEVEL $JWT_TOKEN_SECRET "$KAFKA_TOPIC_PREFIX" "$ALLOWED_SERVICES" $JWT_TOKEN_EXPIRES_IN "$API_VERSION" $PORT "$AUTH_DOMAIN" "$VALID_ISSUERS" $TC_EMAIL_SERVICE_URL $TC_EMAIL_SERVICE_TOKEN $AWS_ECS_CLUSTER $AWS_REGION $AWS_ECS_CLUSTER $ENV)
+	task_def=$(printf "$task_template" $AWS_ECS_CONTAINER_NAME $AWS_ACCOUNT_ID $AWS_REGION $AWS_REPOSITORY $TAG $ENV $KAFKA_URL "$KAFKA_CLIENT_CERT" "$KAFKA_CLIENT_CERT_KEY" $LOG_LEVEL $JWT_TOKEN_SECRET "$KAFKA_TOPIC_PREFIX" "$ALLOWED_SERVICES" $JWT_TOKEN_EXPIRES_IN "$API_VERSION" $PORT "$AUTH_DOMAIN" "$VALID_ISSUERS" $TC_EMAIL_SERVICE_URL "$AUTH0_URL" "$AUTH0_AUDIENCE" $AUTH0_CLIENT_ID "$AUTH0_CLIENT_SECRET" $TOKEN_CACHE_TIME $AWS_ECS_CLUSTER $AWS_REGION $AWS_ECS_CLUSTER $ENV)
 }
 
 register_definition() {