diff --git a/.jshintrc b/.jshintrc new file mode 100644 index 0000000..cefd7b5 --- /dev/null +++ b/.jshintrc @@ -0,0 +1,4 @@ +{ + "esversion": 6, + "esnext": true +} diff --git a/index.js b/index.js index 47c68fe..8a64363 100644 --- a/index.js +++ b/index.js @@ -12,11 +12,12 @@ * the License. */ -module.exports = (kibana) => { +import session from './server/session'; +import binding from './server/binding'; +import healthCheck from './server/healthcheck'; - const session = require('./server/session'); - const proxy = require('./server/proxy'); - const healthCheck = require('./server/healthcheck'); +export default (kibana) => { + const COOKIE_PASSWORD_SIZE = 32; return new kibana.Plugin({ require: ['elasticsearch'], @@ -27,17 +28,19 @@ module.exports = (kibana) => { function config(Joi) { const cookie = Joi.object({ + name : Joi.string() + .default('keystone'), password : Joi.string() - .min(16) - .default(require('crypto').randomBytes(16).toString('hex')), + .min(COOKIE_PASSWORD_SIZE) + .default(require('crypto').randomBytes(COOKIE_PASSWORD_SIZE).toString('hex')), isSecure : Joi.boolean() - .default(false), + .default(process.env.NODE_ENV !== 'development'), ignoreErrors: Joi.boolean() .default(true), expiresIn : Joi.number() .positive() .integer() - .default(24 * 60 * 60 * 1000) // 1 day + .default(60 * 60 * 1000) // 1 hour }).default(); return Joi.object({ @@ -51,9 +54,11 @@ module.exports = (kibana) => { } function init(server) { - session(server); - proxy(server); + server.log(['status', 'debug', 'keystone'], 'Initializing keystone plugin'); + binding(server).start(); + session(server).start(); healthCheck(this, server).start(); + server.log(['status', 'debug', 'keystone'], 'Initialized keystone plugin'); } }; diff --git a/package.json b/package.json index a7af291..20b490b 100644 --- a/package.json +++ b/package.json @@ -1,13 +1,14 @@ { "name": "fts-keystone", - "version": "0.0.1", - "description": "Keystone authentication support for Kibana 4.4.x", + "version": "0.0.2", + "description": "Keystone authentication & multitenancy support for Kibana 4.4.x", "author": "Fujitsu Enabling Software Technology GmbH", - "licenses": "Apache-2.0", + "license": "Apache-2.0", "keywords": [ "kibana", "authentication", "keystone", + "multitenancy", "plugin" ], "scripts": { @@ -22,8 +23,9 @@ }, "main": "gulpfile.js", "dependencies": { - "yar": "^4.2.0", - "keystone-v3-client": "^0.0.7" + "hoek": "^4.0.1", + "keystone-v3-client": "^0.0.7", + "yar": "^7.x.x" }, "repository": { "type": "git", @@ -43,11 +45,14 @@ "gulp-mocha": "^2.2.0", "gulp-tar": "^1.8.0", "gulp-util": "^3.0.7", + "joi": "^9.0.4", "lodash": "^4.2.1", "mkdirp": "^0.5.1", "proxyquire": "^1.7.4", "rimraf": "^2.5.1", "rsync": "^0.4.0", - "sinon": "^1.17.3" + "semver": "^5.3.0", + "sinon": "^1.17.3", + "wreck": "^8.0.0" } } diff --git a/server/__tests__/binding.spec.js b/server/__tests__/binding.spec.js new file mode 100644 index 0000000..1c752e6 --- /dev/null +++ b/server/__tests__/binding.spec.js @@ -0,0 +1,45 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +const sinon = require('sinon'); +const chai = require('chai'); +const proxyRequire = require('proxyquire'); + +describe('fts-keystone', () => { + describe('binding', () => { + + it('should expose tokens & users', () => { + + let tokens = sinon.spy(); + let users = sinon.spy(); + + let server = { + config: sinon.stub().returns({ + get: sinon.spy() + }), + expose: sinon.spy() + }; + + proxyRequire('../binding', { + 'keystone-v3-client/lib/keystone/tokens': tokens, + 'keystone-v3-client/lib/keystone/users' : users + })(server).start(); + + chai.expect(server.expose.callCount).to.be.eq(2); + chai.expect(server.expose.calledWith('tokens', tokens)); + chai.expect(server.expose.calledWith('users', users)); + + }); + }); +}); diff --git a/server/__tests__/healthcheck.spec.js b/server/__tests__/healthcheck.spec.js index 1da9106..da44619 100644 --- a/server/__tests__/healthcheck.spec.js +++ b/server/__tests__/healthcheck.spec.js @@ -52,6 +52,7 @@ describe('plugins/fts-keystone', ()=> { server = { log : sinon.stub(), + on : sinon.stub(), config: function () { return { get: configGet @@ -63,6 +64,7 @@ describe('plugins/fts-keystone', ()=> { it('should set status to green if keystone available', (done)=> { let expectedCode = 200; + let expectedStatus = true; let healthcheck = proxyRequire('../healthcheck', { 'http': { request: (_, callback)=> { @@ -82,8 +84,8 @@ describe('plugins/fts-keystone', ()=> { check .run() - .then((code) => { - chai.expect(expectedCode).to.be.equal(code); + .then((status) => { + chai.expect(expectedStatus).to.be.equal(status); chai.expect(plugin.status.green.calledWith('Ready')).to.be.ok; }) .finally(done); @@ -92,6 +94,7 @@ describe('plugins/fts-keystone', ()=> { it('should set status to red if keystone not available', (done) => { let expectedCode = 500; + let expectedStatus = false; let healthcheck = proxyRequire('../healthcheck', { 'http': { request: (_, callback)=> { @@ -111,8 +114,8 @@ describe('plugins/fts-keystone', ()=> { check .run() - .catch((code) => { - chai.expect(expectedCode).to.be.equal(code); + .catch((status) => { + chai.expect(expectedStatus).to.be.equal(status); chai.expect(plugin.status.red.calledWith('Unavailable')).to.be.ok; }) .finally(done); diff --git a/server/__tests__/proxy.spec.js b/server/__tests__/proxy.spec.js deleted file mode 100644 index ef07373..0000000 --- a/server/__tests__/proxy.spec.js +++ /dev/null @@ -1,174 +0,0 @@ -/* - * Copyright 2016 FUJITSU LIMITED - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed under the License - * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the License for the specific language governing permissions and limitations under - * the License. - */ - -const proxyRequire = require('proxyquire'); -const Promise = require('bluebird'); -const sinon = require('sinon'); -const chai = require('chai'); - -describe('plugins/fts-keystone', ()=> { - describe('proxy', ()=> { - describe('proxy_check', ()=> { - - const keystoneUrl = 'http://localhost'; // mocking http - const keystonePort = 9000; - - let server; - let configGet; - - beforeEach(()=> { - configGet = sinon.stub(); - configGet.withArgs('fts-keystone.url').returns(keystoneUrl); - configGet.withArgs('fts-keystone.port').returns(keystonePort); - - server = { - log : sinon.stub(), - config: function () { - return { - get: configGet - }; - } - }; - }); - - it('should do nothing if not /elasticsearch call', ()=> { - let checkSpy = sinon.spy(); - let retrieveTokenSpy = sinon.spy(); - let proxy = proxyRequire('../proxy/proxy', { - 'keystone-v3-client/lib/keystone/tokens': () => { - return {check: checkSpy}; - }, - './retrieveToken' : retrieveTokenSpy - })(server); - let request = { - url: { - path: '/bundles/styles.css' - } - }; - let reply = { - 'continue': sinon.spy() - }; - - proxy(request, reply); - - chai.expect(reply.continue.calledOnce).to.be.ok; - chai.expect(checkSpy.called).to.not.be.ok; - chai.expect(retrieveTokenSpy.called).to.not.be.ok; - }); - - it('should authenticate with keystone', (done)=> { - - let token = '1234567890'; - let checkStub = sinon.stub().returns(Promise.resolve()); - let retrieveTokenStub = sinon.stub().returns(token); - - let proxy = proxyRequire('../proxy/proxy', { - 'keystone-v3-client/lib/keystone/tokens': () => { - return {check: checkStub}; - }, - './retrieveToken' : retrieveTokenStub - })(server); - let request = { - session: { - 'get' : sinon.stub(), - 'set' : sinon.stub() - }, - url : { - path: '/elasticsearch/.kibana' - } - }; - - let reply = { - 'continue': sinon.spy() - }; - let replyCall; - - proxy(request, reply) - .finally(verifyStubs) - .done(done); - - function verifyStubs() { - chai.expect(reply.continue.calledOnce).to.be.ok; - replyCall = reply.continue.firstCall.args; - - chai.expect(replyCall).to.be.empty; - - // other stubs - chai.expect(checkStub.calledOnce).to.be.ok; - chai.expect(checkStub.calledWithExactly({ - headers: { - 'X-Auth-Token' : token, - 'X-Subject-Token': token - } - })).to.be.ok; - - chai.expect(retrieveTokenStub.calledOnce).to.be.ok; - chai.expect(retrieveTokenStub.calledWithExactly(server, request)) - .to.be.ok; - } - }); - - it('should not authenticate with keystone', (done)=> { - let token = '1234567890'; - let checkStub = sinon.stub().returns(Promise.reject({ - statusCode: 666 - })); - let retrieveTokenStub = sinon.stub().returns(token); - let proxy = proxyRequire('../proxy/proxy', { - 'keystone-v3-client/lib/keystone/tokens': () => { - return {check: checkStub}; - }, - './retrieveToken' : retrieveTokenStub - })(server); - let request = { - session: { - 'get' : sinon.stub(), - 'set' : sinon.stub() - }, - url : { - path: '/elasticsearch/.kibana' - } - }; - let reply = sinon.spy(); - let replyCall; - - proxy(request, reply) - .finally(verifyStubs) - .done(done); - - function verifyStubs() { - chai.expect(reply.calledOnce).to.be.ok; - replyCall = reply.firstCall.args[0]; - - chai.expect(replyCall.isBoom).to.be.ok; - - // other stubs - chai.expect(checkStub.calledOnce).to.be.ok; - chai.expect(checkStub.calledWithExactly({ - headers: { - 'X-Auth-Token' : token, - 'X-Subject-Token': token - } - })).to.be.ok; - - chai.expect(retrieveTokenStub.calledOnce).to.be.ok; - chai.expect(retrieveTokenStub.calledWithExactly(server, request)) - .to.be.ok; - } - - }); - - }); - }); -}); diff --git a/server/__tests__/retrieveToken.spec.js b/server/__tests__/retrieveToken.spec.js index 03bb6b8..dba95ff 100644 --- a/server/__tests__/retrieveToken.spec.js +++ b/server/__tests__/retrieveToken.spec.js @@ -15,157 +15,176 @@ const sinon = require('sinon'); const chai = require('chai'); -const retrieveToken = require('../proxy/retrieveToken'); +const retrieveToken = require('../mt/auth/token'); +const CONSTANTS = require('../const'); +const RELOAD_SYMBOL = require('../mt/auth/reload'); describe('plugins/fts-keystone', ()=> { - describe('proxy', ()=> { - describe('retrieveToken', ()=> { + describe('mt', ()=> { + describe('auth', () => { + describe('token', ()=> { - let server; + let server; - beforeEach(()=> { - server = { - log: sinon.stub() - }; - }); + beforeEach(()=> { + server = { + log: sinon.stub() + }; + }); - it('should return isBoom if session not available', ()=> { - let request = {}; - let errMsg = /Session support is missing/; + it('should return isBoom if session not available', ()=> { + let request = {}; + let errMsg = /Session support is missing/; - chai.expect(()=> { - retrieveToken(server, request); - }).to.throw(errMsg); + chai.expect(()=> { + retrieveToken(server, request); + }).to.throw(errMsg); - request = { - session: undefined - }; - chai.expect(()=> { - retrieveToken(server, request); - }).to.throw(errMsg); + request = { + yar: undefined + }; + chai.expect(()=> { + retrieveToken(server, request); + }).to.throw(errMsg); - request = { - session: null - }; - chai.expect(()=> { - retrieveToken(server, request); - }).to.throw(errMsg); - }); + request = { + session: null + }; + chai.expect(()=> { + retrieveToken(server, request); + }).to.throw(errMsg); + }); - it('should Boom with unauthorized if token not in header or session', function () { - let expectedMsg = 'You\'re not logged into the OpenStack. Please login via Horizon Dashboard'; - let request = { - session: { - 'get': sinon - .stub() - .withArgs('keystone_token') - .returns(undefined) - }, - headers: {} - }; + it('should Boom with unauthorized if token not in header or session', function () { + let expectedMsg = 'You\'re not logged into the OpenStack. Please login via Horizon Dashboard'; + let request = { + yar : { + 'get': sinon + .stub() + .withArgs(CONSTANTS.SESSION_TOKEN_KEY) + .returns(undefined) + }, + headers: {} + }; - let result = retrieveToken(server, request); - chai.expect(result.isBoom).to.be.true; - chai.expect(result.output.payload.message).to.be.eq(expectedMsg); - chai.expect(result.output.statusCode).to.be.eq(401); - }); + let result = retrieveToken(server, request); + chai.expect(result.isBoom).to.be.true; + chai.expect(result.output.payload.message).to.be.eq(expectedMsg); + chai.expect(result.output.statusCode).to.be.eq(401); + }); - it('should use session token if requested does not have it', () => { - let expectedToken = 'SOME_RANDOM_TOKEN'; - let yar = { - 'set': sinon - .spy(), - 'get': sinon - .stub() - .withArgs('keystone_token') - .returns(expectedToken) - }; - let request = { - session: yar, - headers: {} - }; - let token; + it('should use session token if requested does not have it', () => { + let expectedToken = 'SOME_RANDOM_TOKEN'; + let yar = { + 'reset': sinon.spy(), + 'set' : sinon.spy(), + 'get' : sinon.stub() + }; + let request = { + yar : yar, + headers: {} + }; + let token; - token = retrieveToken(server, request); - chai.expect(token).not.to.be.undefined; - chai.expect(token).to.be.eql(expectedToken); + yar.get.returns(expectedToken); - chai.expect( - yar.get.calledOnce - ).to.be.ok; - chai.expect( - yar.set.calledOnce - ).not.to.be.ok; - chai.expect( - yar.set.calledWithExactly('keystone_token', expectedToken) - ).not.to.be.ok; - }); + token = retrieveToken(server, request); + chai.expect(token).not.to.be.undefined; + chai.expect(token).to.be.eql(expectedToken); - it('should set token in session if not there and request has it', () => { - let expectedToken = 'SOME_RANDOM_TOKEN'; - let yar = { - 'set': sinon - .spy(), - 'get': sinon - .stub() - .withArgs('keystone_token') - .returns(undefined) - }; - let request = { - session: yar, - headers: { + console.log(yar.get.callCount); + + chai.expect(yar.get.callCount).to.be.eq(2); + chai.expect(yar.set.calledOnce).not.to.be.ok; + chai.expect( + yar.set.calledWithExactly(CONSTANTS.SESSION_TOKEN_KEY, expectedToken) + ).not.to.be.ok; + }); + + it('should set token in session if not there and request has it', () => { + let expectedToken = 'SOME_RANDOM_TOKEN'; + let yar = { + 'reset': sinon.spy(), + 'set' : sinon.spy(), + 'get' : sinon.stub() + }; + let request = { + yar : yar, + headers: { + 'x-auth-token': expectedToken + } + }; + let token; + + yar.get + .withArgs(CONSTANTS.SESSION_TOKEN_KEY) + .onCall(0).returns(undefined) + .onCall(1).returns(expectedToken); + + token = retrieveToken(server, request); + chai.expect(token).to.not.be.undefined; + chai.expect(token).to.be.eql(expectedToken); + + chai.expect(yar.get.callCount).to.be.eq(2); + chai.expect(yar.set.calledOnce).to.be.ok; + + chai.expect( + yar.set.calledWithExactly( + CONSTANTS.SESSION_TOKEN_KEY, + expectedToken + ) + ).to.be.ok; + chai.expect( + yar.set.calledWithExactly( + CONSTANTS.SESSION_TOKEN_CHANGED, + CONSTANTS.TOKEN_CHANGED_VALUE + ) + ).to.not.be.ok; + }); + + it('should update token in session if request\'s token is different', ()=> { + let expectedToken = 'SOME_RANDOM_TOKEN'; + let oldToken = 'OLD_TOKEN'; + + let headers = { 'x-auth-token': expectedToken - } - }; - let token; + }; + let yar = { + 'reset': sinon.stub(), + 'get' : sinon + .stub() + .withArgs(CONSTANTS.SESSION_TOKEN_KEY) + .returns(oldToken), + 'set' : sinon.spy() + }; + let token; + let request = { + yar : yar, + headers: headers + }; - token = retrieveToken(server, request); - chai.expect(token).to.not.be.undefined; - chai.expect(token).to.be.eql(expectedToken); + token = retrieveToken(server, request); + chai.expect(token).to.not.be.undefined; + chai.expect(token).to.be.eql(RELOAD_SYMBOL); - chai.expect( - yar.get.calledOnce - ).to.be.ok; - chai.expect( - yar.set.calledOnce - ).to.be.ok; - chai.expect( - yar.set.calledWithExactly('keystone_token', expectedToken) - ).to.be.ok; - }); + chai.expect(yar.reset.calledOnce).to.be.ok; + chai.expect(yar.get.calledOnce).to.be.ok; - it('should update token in session if request\'s token is different', ()=> { - let expectedToken = 'SOME_RANDOM_TOKEN'; - let headers = { - 'x-auth-token': expectedToken - }; - let yar = { - 'get': sinon - .stub() - .withArgs('keystone_token') - .returns('SOME_OLD_TOKEN'), - 'set': sinon - .spy() - }; - let token; - let request = { - session: yar, - headers: headers - }; + chai.expect(yar.set.callCount).to.be.eq(2); + chai.expect( + yar.set.calledWithExactly( + CONSTANTS.SESSION_TOKEN_KEY, + expectedToken + ) + ).to.be.ok; + chai.expect( + yar.set.calledWithExactly( + CONSTANTS.SESSION_TOKEN_CHANGED, + CONSTANTS.TOKEN_CHANGED_VALUE + ) + ).to.be.ok; - token = retrieveToken(server, request); - chai.expect(token).to.not.be.undefined; - chai.expect(token).to.be.eql(expectedToken); - - chai.expect( - yar.get.calledOnce - ).to.be.ok; - chai.expect( - yar.set.calledOnce - ).to.be.ok; - chai.expect( - yar.set.calledWithExactly('keystone_token', expectedToken) - ).to.be.ok; + }); }); }); }); diff --git a/server/__tests__/routing.createProxy.spec.js b/server/__tests__/routing.createProxy.spec.js new file mode 100644 index 0000000..9f3c95a --- /dev/null +++ b/server/__tests__/routing.createProxy.spec.js @@ -0,0 +1,132 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +const sinon = require('sinon'); +const chai = require('chai'); +const proxyRequire = require('proxyquire'); + +describe('plugins/fts-keystone', () => { + describe('mt', () => { + describe('routing', () => { + describe('createProxy', () => { + const kibanaIndex = '.kibana'; + const server = { + log : sinon.spy(), + config: sinon.stub().returns({ + get: sinon.stub().withArgs('kibana.index').returns(kibanaIndex) + }) + }; + + let mgetHandler; + let pathsHandler; + let kibanaIndexHandler; + let defaultHandler; + + beforeEach(() => { + mgetHandler = sinon.stub().returns({}); + pathsHandler = sinon.stub().returns({}); + kibanaIndexHandler = sinon.stub().returns({}); + defaultHandler = sinon.stub().returns({}); + + server.route = sinon.spy(); + }); + + it('should load mget handler if that is the route', () => { + const route = '/_mget'; + const method = sinon.spy(); + + proxyRequire('../mt/routing/_create_proxy', { + './routes/mget' : mgetHandler, + './routes/paths' : pathsHandler, + './routes/kibana_index': kibanaIndexHandler, + './routes/default' : defaultHandler + })(server, method, route); + + chai.expect(mgetHandler.calledOnce).to.be.ok; + chai.expect(mgetHandler.calledWith(server, method, sinon.match.string)).to.be.ok; + + chai.expect(pathsHandler.calledOnce).to.not.be.ok; + chai.expect(kibanaIndexHandler.calledOnce).to.not.be.ok; + chai.expect(defaultHandler.calledOnce).to.not.be.ok; + + chai.expect(server.route.calledWith(sinon.match.object)).to.be.ok; + }); + + it('should load paths handler if that is the route', () => { + const route = '/{paths*}'; + const method = sinon.spy(); + + proxyRequire('../mt/routing/_create_proxy', { + './routes/mget' : mgetHandler, + './routes/paths' : pathsHandler, + './routes/kibana_index': kibanaIndexHandler, + './routes/default' : defaultHandler + })(server, method, route); + + chai.expect(pathsHandler.calledOnce).to.be.ok; + chai.expect(pathsHandler.calledWith(server, method, sinon.match.string)).to.be.ok; + + chai.expect(mgetHandler.calledOnce).to.not.be.ok; + chai.expect(kibanaIndexHandler.calledOnce).to.not.be.ok; + chai.expect(defaultHandler.calledOnce).to.not.be.ok; + + chai.expect(server.route.calledWith(sinon.match.object)).to.be.ok; + }); + + it('should load default handler if that is the route', () => { + const route = '/other'; + const method = sinon.spy(); + + proxyRequire('../mt/routing/_create_proxy', { + './routes/mget' : mgetHandler, + './routes/paths' : pathsHandler, + './routes/kibana_index': kibanaIndexHandler, + './routes/default' : defaultHandler + })(server, method, route); + + chai.expect(defaultHandler.calledOnce).to.be.ok; + chai.expect(defaultHandler.calledWith(server, method, sinon.match.string)).to.be.ok; + + chai.expect(mgetHandler.calledOnce).to.not.be.ok; + chai.expect(kibanaIndexHandler.calledOnce).to.not.be.ok; + chai.expect(pathsHandler.calledOnce).to.not.be.ok; + + chai.expect(server.route.calledWith(sinon.match.object)).to.be.ok; + }); + + it('should load kibana handler if that is the route', () => { + const route = `/${kibanaIndex}/{paths*}`; + const method = sinon.spy(); + + proxyRequire('../mt/routing/_create_proxy', { + './routes/mget' : mgetHandler, + './routes/paths' : pathsHandler, + './routes/kibana_index': kibanaIndexHandler, + './routes/default' : defaultHandler + })(server, method, route); + + chai.expect(kibanaIndexHandler.calledOnce).to.be.ok; + chai.expect(kibanaIndexHandler.calledWith(server, method, sinon.match.string)).to.be.ok; + + chai.expect(mgetHandler.calledOnce).to.not.be.ok; + chai.expect(defaultHandler.calledOnce).to.not.be.ok; + chai.expect(pathsHandler.calledOnce).to.not.be.ok; + + chai.expect(server.route.calledWith(sinon.match.object)).to.be.ok; + }); + + }); + }); + }); +}); diff --git a/server/__tests__/routing.reRouting.spec.js b/server/__tests__/routing.reRouting.spec.js new file mode 100644 index 0000000..8704809 --- /dev/null +++ b/server/__tests__/routing.reRouting.spec.js @@ -0,0 +1,86 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +const sinon = require('sinon'); +const chai = require('chai'); +const proxyRequire = require('proxyquire'); + +describe('plugins/fts-keystone', () => { + describe('mt', () => { + describe('routing', () => { + describe('reRoute', () => { + const prefix = '/test'; + const server = { + log: sinon.spy() + }; + + it('should re-route ElasticSearch request', () => { + const requestPath = '/elasticsearch/something/a/b/c'; + + let request = { + setUrl: sinon.spy() + }; + let reply = { + continue: sinon.spy() + }; + let utils = { + requestPath: sinon.stub().withArgs(request).returns(requestPath), + isESRequest: sinon.stub().withArgs(request).returns(true) + }; + + proxyRequire('../mt/routing/_re_route', { + '../../util': utils, + './_utils' : { + PREFIX: prefix + } + })(server)(request, reply); + + chai.expect(request.setUrl.calledOnce).to.be.ok; + chai.expect(request.setUrl.calledWith(`${prefix}${requestPath}`)).to.be.ok; + chai.expect(reply.continue.calledOnce).to.be.ok; + + }); + + it('should not re-route non-ElasticSearch request', () => { + const requestPath = '/resources/cool.ico'; + + let request = { + setUrl: sinon.spy() + }; + let reply = { + continue: sinon.spy() + }; + let utils = { + requestPath: sinon.stub().withArgs(request).returns(requestPath), + isESRequest: sinon.stub().withArgs(request).returns(false) + }; + + proxyRequire('../mt/routing/_re_route', { + '../../util': utils, + './_utils' : { + PREFIX: prefix + } + })(server)(request, reply); + + chai.expect(request.setUrl.calledOnce).to.not.be.ok; + chai.expect(request.setUrl.calledWith(`${prefix}${requestPath}`)).to.not.be.ok; + chai.expect(reply.continue.calledOnce).to.be.ok; + + }); + + + }); + }); + }); +}); diff --git a/server/__tests__/routing.spec.js b/server/__tests__/routing.spec.js new file mode 100644 index 0000000..4896c82 --- /dev/null +++ b/server/__tests__/routing.spec.js @@ -0,0 +1,57 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +const sinon = require('sinon'); +const chai = require('chai'); +const proxyRequire = require('proxyquire'); + +describe('plugins/fts-keystone', ()=> { + describe('mt', ()=> { + describe('routing', () => { + + const createProxy = sinon.spy(); + const serverLog = sinon.spy(); + + let serverExt; + let server; + let reRoute; + + beforeEach(() => { + serverExt = sinon.spy(); + server = { + log: serverLog, + ext: serverExt + }; + reRoute = sinon.spy(); + }); + + it('should load re-route logic', (done) => { + + proxyRequire('../mt/routing', { + './_create_proxy': createProxy, + './_re_route' : reRoute + })(server).then(verify); + + function verify(route) { + chai.expect(serverExt.calledOnce).to.be.ok; + chai.expect(serverExt.calledWith('onRequest', reRoute)); + chai.expect(createProxy).to.be.eq(route); + done(); + } + + }); + + }); + }); +}); diff --git a/server/__tests__/verify.spec.js b/server/__tests__/verify.spec.js new file mode 100644 index 0000000..d8e6000 --- /dev/null +++ b/server/__tests__/verify.spec.js @@ -0,0 +1,114 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +const sinon = require('sinon'); +const chai = require('chai'); +const proxyRequire = require('proxyquire'); + +const CONSTANTS = require('../const'); + +describe('plugins/fts-keystone', ()=> { + describe('mt', ()=> { + describe('verify', () => { + + it('should skip if session not available', () => { + let server = { + log: sinon.spy() + }; + let request = { + yar: { + _store: undefined + } + }; + let reply = { + continue: sinon.spy() + }; + + require('../mt/verify')(server)(request, reply); + chai.expect(reply.continue.calledOnce).to.be.ok; + }); + + it('should skip if session available but user object not found', () => { + let server = { + log: sinon.spy() + }; + let request = { + yar: { + _store: { + '1': 1 + } + } + }; + let reply = { + continue: sinon.spy() + }; + + require('../mt/verify')(server)(request, reply); + chai.expect(reply.continue.calledOnce).to.be.ok; + }); + + it('should skip non ElasticSearch requests', () => { + let store = {}; + + store[CONSTANTS.SESSION_USER_KEY] = {'id': 1}; + + let server = { + log: sinon.spy() + }; + let request = { + url : { + path: '/some/other/path' + }, + yar: { + _store: store + } + }; + let reply = { + continue: sinon.spy() + }; + + require('../mt/verify')(server)(request, reply); + chai.expect(reply.continue.calledOnce).to.be.ok; + }); + + it('should call verify indexPattern', () => { + let store = {}; + let indexPattern = '*'; + + store[CONSTANTS.SESSION_USER_KEY] = {'id': 1}; + + let server = { + log: sinon.spy() + }; + let request = { + method: 'GET', + url : { + path: `/elasticsearch/${indexPattern}/_mapping/field/` + }, + yar: { + _store: store + } + }; + let verifyIndexPattern = sinon.spy(); + + proxyRequire('../mt/verify', { + './_verify_index_pattern': verifyIndexPattern + })(server)(request); + + chai.expect(verifyIndexPattern.calledOnce).to.be.ok; + }); + + }); + }); +}); diff --git a/server/__tests__/verifyIndexPattern.spec.js b/server/__tests__/verifyIndexPattern.spec.js new file mode 100644 index 0000000..fa23a1d --- /dev/null +++ b/server/__tests__/verifyIndexPattern.spec.js @@ -0,0 +1,103 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +const sinon = require('sinon'); +const chai = require('chai'); + +const CONSTANTS = require('../const'); +const verifyIndexPattern = require('../mt/verify/_verify_index_pattern'); + +describe('plugins/fts-keystone', ()=> { + describe('mt', ()=> { + describe('verify', () => { + describe('verify_index_pattern', () => { + + it('should reject * as index-pattern', () => { + let indexPattern = '*'; + let request = { + url: { + path: `/a/${indexPattern}/` + }, + yar: { + _store: {} + } + }; + verifyIndexPattern(request, (result) => { + chai.expect(result.isBoom) + .to.be.true; + chai.expect(result.output.payload.message) + .to.be.eq('* as pattern is not supported at the moment'); + chai.expect(result.output.statusCode) + .to.be.eq(422); + }); + }); + + it('should reject index-pattern if it does not match user`s projects', () => { + let projects = [ + { id: 'project_1'}, { id: 'project_2' }, {id: 'project_3'} + ]; + let indexPattern = 'test'; + let store = {}; + + store[CONSTANTS.SESSION_PROJECTS_KEY] = projects; + + let request = { + url: { + path: `/a/${indexPattern}/` + }, + yar: { + _store: store + } + }; + let reply = sinon.spy(); + + verifyIndexPattern(request, (result) => { + chai.expect(result.isBoom) + .to.be.true; + chai.expect(result.output.payload.message) + .to.be.eq(`${indexPattern} do not match any project of current user`); + chai.expect(result.output.statusCode) + .to.be.eq(422); + }); + }); + + it('should accept index-pattern it it constaint project id', () => { + let projects = [ + { id: 'project_1'}, { id: 'project_2' }, {id: 'project_3'} + ]; + let indexPattern = projects[1].id; + let store = {}; + + store[CONSTANTS.SESSION_PROJECTS_KEY] = projects; + + let request = { + url: { + path: `/a/${indexPattern}/` + }, + yar: { + _store: store + } + }; + let reply = { + continue: sinon.spy() + }; + + verifyIndexPattern(request, reply); + chai.expect(reply.continue.calledOnce).to.be.ok; + }); + + }); + }); + }); +}); diff --git a/server/binding/index.js b/server/binding/index.js new file mode 100644 index 0000000..b997e9e --- /dev/null +++ b/server/binding/index.js @@ -0,0 +1,31 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import TokensApi from 'keystone-v3-client/lib/keystone/tokens'; +import UsersApi from 'keystone-v3-client/lib/keystone/users'; + +module.exports = function binding(server) { + const config = server.config(); + const keystoneCfg = { + url: `${config.get('fts-keystone.url')}:${config.get('fts-keystone.port')}` + }; + + return { + start: () => { + server.expose('tokens', new TokensApi(keystoneCfg)); + server.expose('users', new UsersApi(keystoneCfg)); + } + }; + +}; diff --git a/server/const.js b/server/const.js new file mode 100644 index 0000000..81850f9 --- /dev/null +++ b/server/const.js @@ -0,0 +1,22 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +const NOW_TIME = (new Date().valueOf() / 1000); + +export const SESSION_USER_KEY = `fts-keystone-user-${NOW_TIME}`; +export const SESSION_TOKEN_KEY = `fts-keystone-token-${NOW_TIME}`; +export const SESSION_PROJECTS_KEY = `fts-keystone-projects-${NOW_TIME}`; +export const SESSION_TOKEN_CHANGED = `fts-keystone-token-changed-${NOW_TIME}`; + +export const TOKEN_CHANGED_VALUE = Symbol('token-changed'); diff --git a/server/healthcheck/index.js b/server/healthcheck/index.js index ade00be..5c69b2f 100644 --- a/server/healthcheck/index.js +++ b/server/healthcheck/index.js @@ -12,18 +12,19 @@ * the License. */ -const Promise = require('bluebird'); -const url = require('url'); +import url from 'url'; +import Promise from 'bluebird'; -const util = require('../util/'); - -module.exports = function (plugin, server) { - let timeoutId; +import util from '../util'; +module.exports = function healthcheck(plugin, server) { const config = server.config(); const keystoneUrl = config.get('fts-keystone.url'); const keystonePort = config.get('fts-keystone.port'); const request = getRequest(); + + let timeoutId; + const service = { run : check, start : start, @@ -33,22 +34,12 @@ module.exports = function (plugin, server) { } }; + server.on('stop', stop); + return service; - function getRequest() { - let required; - if (util.startsWith(keystoneUrl, 'https')) { - required = require('https'); - } else { - required = require('http'); - } - return required.request; - } - function check() { - return new Promise((resolve, reject)=> { - const req = request({ hostname: getHostname(), port : keystonePort, @@ -57,12 +48,13 @@ module.exports = function (plugin, server) { const statusCode = res.statusCode; if (statusCode >= 400) { plugin.status.red('Unavailable'); - reject(statusCode); + reject(false); } else { plugin.status.green('Ready'); - resolve(statusCode); + resolve(true); } }); + req.on('error', (error)=> { plugin.status.red('Unavailable: Failed to communicate with Keystone'); server.log(['keystone', 'healthcheck', 'error'], `${error.message}`); @@ -70,14 +62,9 @@ module.exports = function (plugin, server) { }); req.end(); - }); } - function getHostname() { - return url.parse(keystoneUrl).hostname; - } - function start() { scheduleCheck(service.stop() ? 10000 : 1); } @@ -109,4 +96,18 @@ module.exports = function (plugin, server) { return true; } + function getHostname() { + return url.parse(keystoneUrl).hostname; + } + + function getRequest() { + let required; + if (util.startsWith(keystoneUrl, 'https')) { + required = require('https'); + } else { + required = require('http'); + } + return required.request; + } + }; diff --git a/server/mt/auth/_authenticate.js b/server/mt/auth/_authenticate.js new file mode 100644 index 0000000..2569694 --- /dev/null +++ b/server/mt/auth/_authenticate.js @@ -0,0 +1,91 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import Boom from 'boom'; +import Joi from 'joi'; + +import { SESSION_USER_KEY } from '../../const'; +import lookupToken from './token'; +import RELOAD from './reload'; + +const RELOAD_MARKUP = ` +
+reloading... +`; +const NOOP = ()=> { +}; +const SCHEMA = { + tokenOk : Joi.func().default(NOOP), + tokenBad: Joi.func().default(NOOP) +}; + +export default (server, opts) => { + Joi.assert(opts, SCHEMA, 'Invalid keystone auth options'); + + const tokensApi = server.plugins['fts-keystone'].tokens; + const callbackOk = opts.tokenOk; + const callbackBad = opts.tokenBad; + + return (request, reply) => { + const token = lookupToken(server, request); + const session = request.yar; + + let userObj = session.get(SESSION_USER_KEY); + + if (token.isBoom) { + server.log(['status', 'debug', 'keystone'], + 'Received error object from token lookup' + ); + return reply(token); + } else if (token === RELOAD) { + server.log(['status', 'debug', 'keystone'], + 'Received reload markup object from token lookup' + ); + return reply(RELOAD_MARKUP).type('text/html'); + } else if (userObj && 'project' in userObj) { + server.log(['status','info','keystone'], `${token} already authorized`); + return reply.continue({credentials:token}); + } + + server.log(['status', 'debug', 'keystone'], + 'About to validate token with keystone' + ); + + return tokensApi + .validate({ + headers: { + 'X-Auth-Token' : token, + 'X-Subject-Token': token + } + }) + .then( + (data) => { + userObj = data.data.token; + return callbackOk(token, userObj, session) + .then(()=> { + server.log(['status', 'debug', 'keystone'], + `Auth process completed for user ${userObj.user.id}`); + return reply.continue({credentials: token}); + }); + }) + .catch((error) => { + return callbackBad(token, error, session) + .then((err)=> { + server.log(['status', 'error', 'keystone'], `Auth process did not complete for token ${token}`); + server.log(['status', 'error', 'keystone'], `${err}`); + return reply(Boom.wrap(err)); + }); + }); + }; +}; diff --git a/server/mt/auth/reload/index.js b/server/mt/auth/reload/index.js new file mode 100644 index 0000000..f3d48d4 --- /dev/null +++ b/server/mt/auth/reload/index.js @@ -0,0 +1,17 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +const RELOAD = Symbol('reload-me'); + +module.exports = RELOAD; diff --git a/server/proxy/index.js b/server/mt/auth/scheme.js similarity index 77% rename from server/proxy/index.js rename to server/mt/auth/scheme.js index 79abed2..fc56580 100644 --- a/server/proxy/index.js +++ b/server/mt/auth/scheme.js @@ -12,14 +12,10 @@ * the License. */ -const proxy = require('./proxy'); +import authenticateFactory from './_authenticate'; -module.exports = function createProxy(server) { - server.ext( - 'onPreAuth', - proxy(server), - { - after: ['yar'] - } - ); +export default (server, opts) => { + return { + authenticate: authenticateFactory(server, opts) + }; }; diff --git a/server/mt/auth/strategy.js b/server/mt/auth/strategy.js new file mode 100644 index 0000000..d176c67 --- /dev/null +++ b/server/mt/auth/strategy.js @@ -0,0 +1,74 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import Boom from 'boom'; +import Promise from 'bluebird'; + +import kibanaIndex from '../kibana'; +import userProjects from '../projects'; + +import { + SESSION_TOKEN_KEY, + SESSION_USER_KEY +} from '../../const'; + +export default (server) => { + + return { + tokenOk : tokenOk, + tokenBad: tokenBad + }; + + function tokenOk(token, userObj, session) { + session.reset(); + session.set(SESSION_TOKEN_KEY, token); + session.set(SESSION_USER_KEY, userObj); + + return Promise + .all([ + userProjects(server, session, userObj), + kibanaIndex(server, userObj) + ]) + .then(() => { + server.log(['status', 'info', 'keystone'], `User ${userObj.user.id} authorized with keystone`); + return token; + }) + .catch(err => { + server.log(['status', 'info', 'keystone'], + `Error caught in process of authorization, err was ${err}`); + throw err; + }); + } + + function tokenBad(token, error, session) { + return new Promise((resolve)=> { + server.log(['keystone', 'error'], `Failed to authenticate token ${token} with keystone, error is ${error.statusCode}.`); + session.reset(); + + let err; + + if (error.statusCode === 401) { + err = Boom.forbidden('\You\'re not logged in as a user who\'s authorized to access log information'); + } else { + err = Boom.internal( + error.message || 'Unexpected error during Keystone communication', + {}, + error.statusCode + ); + } + return resolve(err); + }); + } + +}; diff --git a/server/proxy/retrieveToken.js b/server/mt/auth/token/index.js similarity index 63% rename from server/proxy/retrieveToken.js rename to server/mt/auth/token/index.js index af6ba14..2bbcdbe 100644 --- a/server/proxy/retrieveToken.js +++ b/server/mt/auth/token/index.js @@ -12,10 +12,15 @@ * the License. */ -const Boom = require('boom'); +import Boom from 'boom'; +import { + SESSION_TOKEN_KEY, + SESSION_TOKEN_CHANGED, + TOKEN_CHANGED_VALUE +} from '../../../const'; +import RELOAD_SYMBOL from '../reload'; -/** @module */ -module.exports = retrieveToken; +const HEADER_NAME = 'x-auth-token'; /** * Retrieves token from the response header using key X-Keystone-Token. @@ -31,21 +36,21 @@ module.exports = retrieveToken; * * @returns {string} current token value */ +module.exports = (server, request) => { -const HEADER_NAME = 'x-auth-token'; - -function retrieveToken(server, request) { - - if (!request.session || request.session === null) { - server.log(['keystone', 'error'], 'Session is not enabled'); + if (!request.yar || request.yar === null) { + server.log(['status', 'keystone', 'error'], 'Session is not enabled'); throw new Error('Session support is missing'); } - let tokenFromSession = request.session.get('keystone_token'); + // DEV PURPOSE ONLY + // request.yar.set(SESSION_TOKEN_KEY, 'a60e832483c34526a0c2bc3c6f8fa320'); + + let tokenFromSession = request.yar.get(SESSION_TOKEN_KEY); let token = request.headers[HEADER_NAME]; if (!token && !tokenFromSession) { - server.log(['keystone', 'error'], + server.log(['status', 'keystone', 'error'], 'Token hasn\'t been located, looked in headers and session'); return Boom.unauthorized( 'You\'re not logged into the OpenStack. Please login via Horizon Dashboard' @@ -54,15 +59,28 @@ function retrieveToken(server, request) { if (!token && tokenFromSession) { token = tokenFromSession; - server.log(['keystone', 'debug'], + server.log(['status', 'debug', 'keystone'], 'Token lookup status: Found token in session' ); } else if ((token && !tokenFromSession) || (token !== tokenFromSession)) { - server.log(['keystone', 'debug'], + server.log(['status', 'debug', 'keystone'], 'Token lookup status: Token located in header/session or token changed' ); - request.session.set('keystone_token', token); + + if ((token !== tokenFromSession) && (token && tokenFromSession)) { + server.log(['status', 'info', 'keystone'], + 'Reseting session because token has changed' + ); + request.yar.reset(); + + request.yar.set(SESSION_TOKEN_CHANGED, TOKEN_CHANGED_VALUE); + request.yar.set(SESSION_TOKEN_KEY, token); + + return RELOAD_SYMBOL; + } + + request.yar.set(SESSION_TOKEN_KEY, token); } - return token; -} + return request.yar.get(SESSION_TOKEN_KEY); +}; diff --git a/server/mt/auth/verify.js b/server/mt/auth/verify.js new file mode 100644 index 0000000..055da34 --- /dev/null +++ b/server/mt/auth/verify.js @@ -0,0 +1,62 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import Boom from 'boom'; + +import { + SESSION_PROJECTS_KEY, + SESSION_USER_KEY, + SESSION_TOKEN_CHANGED, + TOKEN_CHANGED_VALUE +} from '../../const'; +import reload from './reload'; + +export default () => { + return (request, reply) => { + + let session = request.yar; + let userObj = session.get(SESSION_USER_KEY); + let tokenChanged = session.get(SESSION_TOKEN_CHANGED); + + if (tokenChanged === TOKEN_CHANGED_VALUE) { + request.log(['status', 'info', 'keystone'], + 'Detected that token has been changed, replaying the request' + ); + session.clear(SESSION_TOKEN_CHANGED); + return reply(reload.markup).type('text/html'); + } else if (userObj) { + let expiresAt = new Date(userObj.expires_at).valueOf(); + let now = new Date().valueOf(); + let diff = now - expiresAt; + + if (diff >= 0) { + session.reset(); + return reply(Boom.unauthorized('User token has expired')).takeover(); + } else { + return reply.continue({ + credentials: userObj, + artifacts : { + projects: session.get(SESSION_PROJECTS_KEY) + }, + log : { + tags: 'keystone ok' + } + }); + } + } + + // TODO(trebskit) should actually throw error here I guess + return reply.continue(); + }; +}; diff --git a/server/mt/index.js b/server/mt/index.js new file mode 100644 index 0000000..7c03b3a --- /dev/null +++ b/server/mt/index.js @@ -0,0 +1,64 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +export default { + bind: (server) => { + server.log(['status', 'info', 'keystone'], 'Registering keystone-auth schema'); + return Promise.all([ + bindAuthScheme(server), + bindExt(server), + bindRouting(server) + ]); + } +}; + +function bindRouting(server) { + const kibanaIndex = server.config().get('kibana.index'); + return require('./routing')(server) + .then((route)=> { + route(server, 'GET', '/{paths*}'); + route(server, 'POST', '/_mget'); + route(server, 'POST', '/{index}/_search'); + route(server, 'POST', '/{index}/_field_stats'); + route(server, 'POST', '/_msearch'); + route(server, 'POST', '/_search/scroll'); + route(server, ['PUT', 'POST', 'DELETE'], '/' + kibanaIndex + '/{paths*}'); + }); +} + +function bindAuthScheme(server) { + return Promise.all([ + server.auth.scheme( + 'keystone-token', + require('./auth/scheme') + ), + server.auth.strategy( + 'session', + 'keystone-token', + true, + require('./auth/strategy')(server) + ) + ]); +} + +function bindExt(server) { + return Promise.all([ + server.ext( + 'onPreAuth', + require('./auth/verify')(server), + {after: ['yar']} + ), + server.ext('onRequest', require('./verify')(server)) + ]); +} diff --git a/server/mt/kibana/_can_upgrade.js b/server/mt/kibana/_can_upgrade.js new file mode 100644 index 0000000..bfb85f6 --- /dev/null +++ b/server/mt/kibana/_can_upgrade.js @@ -0,0 +1,57 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import semver from 'semver'; + +const VERSION_REGEX = /(\d+\.\d+\.\d+)\-rc(\d+)/i; + +export default (server, doc) => { + const config = server.config(); + + if (/beta|snapshot/i.test(doc._id)) { + return false; + } + if (!doc._id) { + return false; + } + if (doc._id === config.get('pkg.version')) { + return false; + } + + let packageRcRelease = Infinity; + let rcRelease = Infinity; + let packageVersion = config.get('pkg.version'); + let version = doc._id; + let matches = doc._id.match(VERSION_REGEX); + let packageMatches = config.get('pkg.version').match(VERSION_REGEX); + + if (matches) { + version = matches[1]; + rcRelease = parseInt(matches[2], 10); + } + + if (packageMatches) { + packageVersion = packageMatches[1]; + packageRcRelease = parseInt(packageMatches[2], 10); + } + + try { + if (semver.gte(version, packageVersion) && rcRelease >= packageRcRelease) { + return false; + } + } catch (e) { + return false; + } + return true; +}; diff --git a/server/mt/kibana/_configure.js b/server/mt/kibana/_configure.js new file mode 100644 index 0000000..d0cc1a5 --- /dev/null +++ b/server/mt/kibana/_configure.js @@ -0,0 +1,107 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import { find } from 'lodash'; +import Promise from 'bluebird'; + +import canUpgradeConfig from './_can_upgrade'; + +export default (server, indexName) => { + const config = server.config(); + const client = server.plugins.elasticsearch.client; + const options = { + index: indexName, + type : 'config', + body : { + size: 1000, + sort: [ + { + buildNum: { + order : 'desc', + ignore_unmapped: true + } + } + ] + } + }; + + server.log(['status', 'debug', 'keystone'], `Configuring index ${indexName}`); + + return client + .search(options) + .then(upgradeConfig(server, indexName)) + .then(()=>{ + return Promise + .delay(666) + .then(() => { + server.log(['status', 'debug', 'keystone'], `Index ${indexName} has been configured`); + return indexName; + }); + }) + .catch((err)=> { + throw new Error(`Configuring ${indexName} failed, error is ${err}`); + }); + + function upgradeConfig(server, indexName) { + const client = server.plugins.elasticsearch.client; + const config = server.config(); + + return (response) => { + if (response.hits.hits.length === 0) { + return client.create({ + index: indexName, + type : 'config', + body : { + buildNum: config.get('pkg.buildNum') + }, + id : config.get('pkg.version') + }); + } + + // if we already have a the current version in the index then we need to stop + var devConfig = find(response.hits.hits, function currentVersion(hit) { + return hit._id !== '@@version' && hit._id === config.get('pkg.version'); + }); + + if (devConfig) { + return Promise.resolve(); + } + + // Look for upgradeable configs. If none of them are upgradeable + // then resolve with null. + let body = find(response.hits.hits, canUpgradeConfig.bind(null, server)); + if (!body) { + return Promise.resolve(); + } + + // if the build number is still the template string (which it wil be in development) + // then we need to set it to the max interger. Otherwise we will set it to the build num + body._source.buildNum = config.get('pkg.buildNum'); + + server.log(['plugin', 'elasticsearch'], { + tmpl : 'Upgrade config from <%= prevVersion %> to <%= newVersion %>', + prevVersion: body._id, + newVersion : config.get('pkg.version') + }); + + return client.create({ + index: indexName, + type : 'config', + body : body._source, + id : config.get('pkg.version') + }); + }; + } + +}; diff --git a/server/mt/kibana/_create.js b/server/mt/kibana/_create.js new file mode 100644 index 0000000..e2ae0ea --- /dev/null +++ b/server/mt/kibana/_create.js @@ -0,0 +1,60 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import Boom from 'boom'; + +import { exists as indexExists } from './_exists'; + +export default (server, indexName) => { + const client = server.plugins.elasticsearch.client; + + server.log(['status', 'info', 'keystone'], `Creating user index ${indexName}`); + + return client.indices + .create({ + index: indexName, + body : { + settings: { + number_of_shards: 1 + }, + mappings: { + config: { + properties: { + buildNum: { + type : 'string', + index: 'not_analyzed' + } + } + } + } + } + }) + .catch((err)=> { + throw Boom.wrap(err, 500, + `Failed to create index ${indexName}`); + }) + .then(() => { + return indexExists(server, indexName, 'yellow') + .catch((err)=> { + throw Boom.wrap(err, 500, + `Waiting for index ${indexName} to come online failed`); + }) + .then(()=> { + server.log(['status', 'info', 'keystone'], + `Index ${indexName} has been created`); + return Promise.resolve(indexName); + }); + }); + +}; diff --git a/server/mt/kibana/_exists.js b/server/mt/kibana/_exists.js new file mode 100644 index 0000000..f16a989 --- /dev/null +++ b/server/mt/kibana/_exists.js @@ -0,0 +1,38 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import kibanaIndex from './kibanaIndex'; + +export default (server, userObj) => { + const indexName = kibanaIndex(server, userObj); + return exists(server, indexName) + .then((resp) => { + return {indexName, resp}; + }); +}; + +export function exists(server, indexName, status) { + const es = server.plugins.elasticsearch.client; + const opts = { + timeout : '5s', + index : indexName, + ignore : [408], + waitForActiveShards: 1 + }; + if (status) { + opts.status = status; + } + return es.cluster.health(opts); +} + diff --git a/server/mt/kibana/index.js b/server/mt/kibana/index.js new file mode 100644 index 0000000..1971457 --- /dev/null +++ b/server/mt/kibana/index.js @@ -0,0 +1,39 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import indexExists from './_exists'; +import createIndex from './_create'; +import configureIndex from './_configure'; + +export default (server, userObj) => { + return doCheck(); + + function doCheck() { + return indexExists(server, userObj) + .then(({indexName, resp}) => { + if (!resp || resp.timed_out) { + server.log(['status', 'warning', 'keystone'], `Index ${indexName} does not exists`); + return createIndex(server, indexName); + } + if (resp.status === 'red') { + server.log(['status', 'warning', 'keystone'], `Shards not ready for index ${indexName}`); + return Promise.delay(2500).then(doCheck); + } + return Promise.resolve(indexName); + }) + .then((indexName)=> { + return configureIndex(server, indexName); + }); + } +}; diff --git a/server/mt/kibana/kibanaIndex.js b/server/mt/kibana/kibanaIndex.js new file mode 100644 index 0000000..8d914a2 --- /dev/null +++ b/server/mt/kibana/kibanaIndex.js @@ -0,0 +1,29 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +/** + * Returns tenant/project-aware kibana index + * + * @param server server object + * @param userObj user details as retrieved from keystone + * @returns {string} project aware kibana index + * + */ +export default (server, userObj) => { + return `${server.config().get('kibana.index')}-${getProjectId(userObj)}`; +}; + +function getProjectId(userObj) { + return userObj.project.id; +} diff --git a/server/mt/projects/index.js b/server/mt/projects/index.js new file mode 100644 index 0000000..dec11dd --- /dev/null +++ b/server/mt/projects/index.js @@ -0,0 +1,52 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import Promise from 'bluebird'; +import { pick, sortBy } from 'lodash'; + +import { SESSION_PROJECTS_KEY, SESSION_TOKEN_KEY } from '../../const'; + +export default (server, session, userObj) => { + + const usersApi = server.plugins['fts-keystone'].users; + + return new Promise((resolve) => { + return usersApi + .allProjects({ + params : { + user_id: userObj.user.id + }, + headers: { + 'X-Auth-Token' : session.get(SESSION_TOKEN_KEY), + 'X-Subject-Token': session.get(SESSION_TOKEN_KEY) + } + }) + .then((response) => { + const data = response.data; + const projects = data.projects; + + return sortBy( + projects.map( + project=>pick(project, ['id', 'name', 'description', 'domain_id']) + ), + 'name' + ); + }) + .then((projects) => { + session.set(SESSION_PROJECTS_KEY, projects); + return resolve(projects); + }); + }); + +}; diff --git a/server/mt/routing/_create_agent.js b/server/mt/routing/_create_agent.js new file mode 100644 index 0000000..4fd7d87 --- /dev/null +++ b/server/mt/routing/_create_agent.js @@ -0,0 +1,58 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +/* + This file was copied and modified for this plugin needs. + Original file can be found here => https://github.com/elastic/kibana/blob/4.4/src/plugins/elasticsearch/lib/create_agent.js + */ + +import url from 'url'; +import {memoize, size} from 'lodash'; +import fs from 'fs'; +import http from 'http'; +import https from 'https'; + +const readFile = (file) => fs.readFileSync(file, 'utf8'); + +module.exports = memoize(function (server) { + const config = server.config(); + const target = url.parse(config.get('elasticsearch.url')); + + if (!/^https/.test(target.protocol)) { + return new http.Agent(); + } + + const agentOptions = { + rejectUnauthorized: config.get('elasticsearch.ssl.verify') + }; + + if (size(config.get('elasticsearch.ssl.ca'))) { + agentOptions.ca = config.get('elasticsearch.ssl.ca').map(readFile); + } + + if (hasSSLEnabled()) { + agentOptions.cert = readFile(config.get('elasticsearch.ssl.cert')); + agentOptions.key = readFile(config.get('elasticsearch.ssl.key')); + } + + return new https.Agent(agentOptions); + + function hasSSLEnabled() { + return config.get('elasticsearch.ssl.cert') + && config.get('elasticsearch.ssl.key'); + } + +}); + +module.exports.cache = new Map(); diff --git a/server/mt/routing/_create_proxy.js b/server/mt/routing/_create_proxy.js new file mode 100644 index 0000000..e6f962d --- /dev/null +++ b/server/mt/routing/_create_proxy.js @@ -0,0 +1,42 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import { PREFIX } from './_utils'; + +module.exports = (server, method, route) => { + + const serverConfig = server.config(); + const pre = '/elasticsearch'; + const sep = route[0] === '/' ? '' : '/'; + const path = `${PREFIX}${pre}${sep}${route}`; + + let options; + + switch (route) { + case '/_mget': + options = require('./routes/mget')(server, method, path); + break; + case '/{paths*}': + options = require('./routes/paths')(server, method, path); + break; + default: + if (route === `/${serverConfig.get('kibana.index')}/{paths*}`) { + options = require('./routes/kibana_index')(server, method, path); + } else { + options = require('./routes/default')(server, method, path); + } + } + + return server.route(options); +}; diff --git a/server/mt/routing/_map_uri.js b/server/mt/routing/_map_uri.js new file mode 100644 index 0000000..8a478ed --- /dev/null +++ b/server/mt/routing/_map_uri.js @@ -0,0 +1,43 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +/* +This file was copied and modified for this plugin needs. +Original file can be found here => https://github.com/elastic/kibana/blob/4.4/src/plugins/elasticsearch/lib/map_uri.js + */ + +import querystring from 'querystring'; + +import { PREFIX } from './_utils'; + +export default (server, request) => { + const config = server.config(); + const path = request.path.replace(`${PREFIX}/elasticsearch`, ''); + const query = querystring.stringify(request.query); + + let url = config.get('elasticsearch.url'); + + if (path) { + if (/\/$/.test(url)) { + url = url.substring(0, url.length - 1); + } + url += path; + } + + if (query) { + url += '?' + query; + } + + return url; +}; diff --git a/server/mt/routing/_re_route.js b/server/mt/routing/_re_route.js new file mode 100644 index 0000000..275d145 --- /dev/null +++ b/server/mt/routing/_re_route.js @@ -0,0 +1,27 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import utils from '../../util'; +import { PREFIX } from './_utils'; + +module.exports = function reRoute(server) { + return (request, reply) => { + const requestPath = utils.requestPath(request); + if (utils.isESRequest(request)) { + server.log(['status', 'debug', 'keystone'], `Routing ${requestPath} onto ${PREFIX}${requestPath}`); + request.setUrl(`${PREFIX}${requestPath}`); + } + return reply.continue(); + }; +}; diff --git a/server/mt/routing/_utils.js b/server/mt/routing/_utils.js new file mode 100644 index 0000000..2408003 --- /dev/null +++ b/server/mt/routing/_utils.js @@ -0,0 +1,70 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import createAgent from './_create_agent'; + +export const PREFIX = '/mt'; + +export function getOpts(server, request, url, payload) { + + let options = { + headers : {}, + redirects : true, + passThrough : true, + xforward : true, + timeout : 1000 * 60 * 3, + localStatePassThrough: false, + agent : createAgent(server), + }; + let protocol = url.split(':', 1)[0]; + + if (payload) { + options.payload = JSON.stringify(payload); + } + + if (options.passThrough) { + options.headers = require('hoek').clone(request.headers); + delete options.headers.host; + if (options.acceptEncoding === false) { + delete options.headers['accept-encoding']; + } + } + + if (options.xforward && + request.info.remoteAddress && + request.info.remotePort) { + + options.headers['x-forwarded-for'] = (options.headers['x-forwarded-for'] ? + options.headers['x-forwarded-for'] + ',' : '') + request.info.remoteAddress; + options.headers['x-forwarded-port'] = (options.headers['x-forwarded-port'] ? + options.headers['x-forwarded-port'] + ',' : '') + request.info.remotePort; + options.headers['x-forwarded-proto'] = (options.headers['x-forwarded-proto'] ? + options.headers['x-forwarded-proto'] + ',' : '') + protocol; + } + + const contentType = request.headers['content-type']; + if (contentType) { + options.headers['content-type'] = contentType; + } + + return options; +} + +export function parsePayload(request) { + let payload = request.payload; + if (!payload || payload.length <= 0) { + return {}; + } + return JSON.parse(payload.toString('utf-8')); +} diff --git a/server/mt/routing/index.js b/server/mt/routing/index.js new file mode 100644 index 0000000..08d8f16 --- /dev/null +++ b/server/mt/routing/index.js @@ -0,0 +1,23 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import Promise from 'bluebird'; +import reRoute from './_re_route'; + +module.exports = function routing(server) { + return new Promise((resolve) => { + server.ext('onRequest', reRoute(server)); + resolve(require('./_create_proxy')); + }); +}; diff --git a/server/mt/routing/routes/default.js b/server/mt/routing/routes/default.js new file mode 100644 index 0000000..28a937c --- /dev/null +++ b/server/mt/routing/routes/default.js @@ -0,0 +1,35 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import mapUri from '../_map_uri'; +import createAgent from '../_create_agent'; + +module.exports = function defaultHandler(server, method, path) { + return { + method : method, + path : path, + handler: { + proxy: { + mapUri : (request, done) => { + server.log(['status', 'debug', 'keystone'], + `mapUri for path ${request.path}`); + done(null, mapUri(server, request)); + }, + agent : createAgent(server), + passThrough: true, + xforward : true + } + } + }; +}; diff --git a/server/mt/routing/routes/kibana_index.js b/server/mt/routing/routes/kibana_index.js new file mode 100644 index 0000000..d1ede83 --- /dev/null +++ b/server/mt/routing/routes/kibana_index.js @@ -0,0 +1,57 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import Wreck from 'wreck'; + +import { SESSION_USER_KEY } from '../../../const'; +import { getOpts, parsePayload } from '../_utils'; +import kibanaIndex from '../../kibana/kibanaIndex'; +import mapUri from '../_map_uri'; + +export default function (server, method, path) { + + const defaultKibanaIndex = server.config().get('kibana.index'); + + return { + method : method, + path : path, + config : { + auth : false, + payload: { + output: 'data', + parse : false + } + }, + handler: handler + }; + + function handler(request, reply) { + const url = getUrl(request); + const opts = getOpts(server, request, url, parsePayload(request)); + return Wreck.request(request.method, url, opts, (err, res) => { + return reply(res).code(res.statusCode).passThrough(!!opts.passThrough); + }); + } + + function getUrl(request) { + const session = request.yar._store; + + let url = mapUri(server, request).split('/'); + let indexPos = url.findIndex((item) => item === defaultKibanaIndex); + + url[indexPos] = kibanaIndex(server, session[SESSION_USER_KEY]); + + return url.join('/'); + } +} diff --git a/server/mt/routing/routes/mget.js b/server/mt/routing/routes/mget.js new file mode 100644 index 0000000..5dfade5 --- /dev/null +++ b/server/mt/routing/routes/mget.js @@ -0,0 +1,69 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import Boom from 'boom'; +import Wreck from 'wreck'; + +import { SESSION_USER_KEY } from '../../../const'; +import { getOpts, parsePayload } from '../_utils'; +import kibanaIndex from '../../kibana/kibanaIndex'; +import mapUri from '../_map_uri'; + +export default function (server, method, path) { + + return { + method : method, + path : path, + config : { + auth : false, + payload: { + output: 'data', + parse : false + } + }, + handler: handler + }; + + function handler(request, reply) { + const url = mapUri(server, request); + const session = request.yar._store; + const payload = parsePayload(request); + + payload.docs.forEach((doc) => { + doc._index = kibanaIndex(server, session[SESSION_USER_KEY]); + }); + + const opts = getOpts(server, request, url, payload); + return Wreck.request(request.method, url, opts, (err, res) => { + if (err) { + server.log( + ['status', 'error', 'keystone'], + `Failed to request ${url}, error is ${err}`); + return reply(Boom.wrap(err)); + } + return Wreck.read(res, {json: true}, (err, body)=> { + if (err) { + server.log( + ['status', 'error', 'keystone'], + `Failed to read response from ${url}, error is ${err}`); + return reply(Boom.wrap(err)); + } + + return reply(body) + .code(res.statusCode) + .passThrough(!!opts.passThrough); + }); + }); + } +} diff --git a/server/mt/routing/routes/paths.js b/server/mt/routing/routes/paths.js new file mode 100644 index 0000000..4622d22 --- /dev/null +++ b/server/mt/routing/routes/paths.js @@ -0,0 +1,66 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import Wreck from 'wreck'; + +import { SESSION_USER_KEY } from '../../../const'; +import { getOpts } from '../_utils'; +import kibanaIndex from '../../kibana/kibanaIndex'; +import mapUri from '../_map_uri'; + +export default function (server, method, path) { + const defaultKibanaIndex = defaultKibanaIndex; + + return { + method : method, + path : path, + config : { + tags: ['elasticsearch', 'multitenancy'], + auth: false + }, + handler: handler + }; + + function handler(request, reply) { + const session = request.yar._store; + + let url = mapUri(server, request).split('/'); + let kibanaIndexRequest = false; + + let indexPos = url.findIndex((item) => item === defaultKibanaIndex); + if (indexPos > -1) { + url[indexPos] = kibanaIndex(server, session[SESSION_USER_KEY]); + kibanaIndexRequest = true; + } + url = url.join('/'); + + const opts = getOpts(server, request, url); + return Wreck.request(request.method, url, opts, (err, res) => { + return Wreck.read(res, {json: true}, (err, body)=> { + let newData = {}; + + if (kibanaIndexRequest) { + let tenantAwareIndex = Object.keys(body)[0]; + newData[defaultKibanaIndex] = body[tenantAwareIndex]; + } else { + newData = body; + } + + return reply(newData) + .code(res.statusCode) + .passThrough(!!opts.passThrough); + }); + }); + } +} diff --git a/server/mt/verify/_verify_index_pattern.js b/server/mt/verify/_verify_index_pattern.js new file mode 100644 index 0000000..2384c79 --- /dev/null +++ b/server/mt/verify/_verify_index_pattern.js @@ -0,0 +1,41 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import Boom from 'boom'; + +import { SESSION_PROJECTS_KEY } from '../../const'; +import util from '../../util'; + +const INDEX_PATTER_POS = 2; + +module.exports = (request, reply) => { + const session = request.yar._store; + const requestPath = util.requestPath(request); + const splittedPath = requestPath.split('/'); + + let pattern = splittedPath[INDEX_PATTER_POS]; + let projects = session[SESSION_PROJECTS_KEY]; + + if ('*' === pattern) { + return reply(Boom.badData('* as pattern is not supported at the moment')); + } else if (projects.filter(filter).length === 0) { + return reply(Boom.badData(`${pattern} do not match any project of current user`)); + } + + return reply.continue(); + + function filter(project) { + return new RegExp(`${project.id}.*`, 'gi').test(pattern); + } +}; diff --git a/server/mt/verify/index.js b/server/mt/verify/index.js new file mode 100644 index 0000000..0b009cb --- /dev/null +++ b/server/mt/verify/index.js @@ -0,0 +1,48 @@ +/* + * Copyright 2016 FUJITSU LIMITED + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +import { SESSION_USER_KEY } from '../../const'; +import util from '../../util'; + +module.exports = (server) => { + + return (request, reply) => { + const session = request.yar._store; + if (!(session && (SESSION_USER_KEY in session))) { + server.log(['status', 'warning', 'keystone'], 'Session not yet available'); + return reply.continue(); + } + + let requestPath = util.requestPath(request); + let requestMethod = request.method; + + if (util.isESRequest(request)) { + let handler; + if (isIndexPatternLookup()) { + handler = require('./_verify_index_pattern'); + } + if (handler) { + return handler(request, reply); + } + } + + return reply.continue(); + + function isIndexPatternLookup() { + let regExp = /\/elasticsearch\/.*\/_mapping\/field\/.*/; + return regExp.test(requestPath) && requestMethod.toLowerCase() === 'get'; + } + + }; +}; diff --git a/server/proxy/proxy.js b/server/proxy/proxy.js deleted file mode 100644 index 29d3f6a..0000000 --- a/server/proxy/proxy.js +++ /dev/null @@ -1,93 +0,0 @@ -/* - * Copyright 2016 FUJITSU LIMITED - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed under the License - * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the License for the specific language governing permissions and limitations under - * the License. - */ - -const Boom = require('boom'); -const retrieveToken = require('./retrieveToken'); -const TokensApi = require('keystone-v3-client/lib/keystone/tokens'); - -const util = require('../util/'); - -module.exports = function (server) { - const config = server.config(); - const tokensApi = new TokensApi({ - url: `${config.get('fts-keystone.url')}:${config.get('fts-keystone.port')}` - }); - - return (request, reply) => { - const requestPath = getRequestPath(request); - let token; - - if (shouldCallKeystone(requestPath)) { - server.log( - ['keystone', 'debug'], - `Call for ${requestPath} detected, authenticating with keystone` - ); - - token = retrieveToken(server, request); - if (token.isBoom) { - return reply(token); - } - - return tokensApi - .check({ - headers: { - 'X-Auth-Token' : token, - 'X-Subject-Token': token - } - }) - .then(onFulfilled, onFailed); - - } - - return reply.continue(); - - function onFulfilled() { - reply.continue(); - } - - function onFailed(error) { - - server.log( - ['keystone', 'error'], - `Failed to authenticate token ${token} with keystone, - error is ${error.statusCode}.` - ); - - if (error.statusCode === 401) { - request.session.clear('keystone_token'); - reply(Boom.forbidden( - ` - You\'re not logged in as a - user who\'s authenticated to access log information - ` - )); - } else { - reply(Boom.internal( - error.message || 'Unexpected error during Keystone communication', - {}, - error.statusCode - )); - } - } - - }; -}; - -function getRequestPath(request) { - return request.url.path; -} - -function shouldCallKeystone(path) { - return util.startsWith(path, '/elasticsearch'); -} diff --git a/server/session/index.js b/server/session/index.js index da04fb3..57a8a35 100644 --- a/server/session/index.js +++ b/server/session/index.js @@ -12,34 +12,39 @@ * the License. */ -module.exports = function initSession(server) { +import yarCookie from 'yar'; +import multiTenancy from '../mt'; +export default (server) => { const config = server.config(); - const registerOpts = { - register: require('yar'), - options : { - name : 'kibana_session', - storeBlank : false, - cache : { - expiresIn: config.get('fts-keystone.cookie.expiresIn') - }, - cookieOptions: { - password : config.get('fts-keystone.cookie.password'), - isSecure : config.get('fts-keystone.cookie.isSecure'), - ignoreErrors: config.get('fts-keystone.cookie.ignoreErrors'), - clearInvalid: true - } + return { + start: ()=> { + server.register({ + register: yarCookie, + options : { + maxCookieSize: 4096, + name : config.get('fts-keystone.cookie.name'), + storeBlank : false, + cache : { + expiresIn: config.get('fts-keystone.cookie.expiresIn') + }, + cookieOptions: { + password : config.get('fts-keystone.cookie.password'), + isSecure : config.get('fts-keystone.cookie.isSecure'), + ignoreErrors: config.get('fts-keystone.cookie.ignoreErrors'), + clearInvalid: false + } + } + }, (error) => { + if (!error) { + server.log(['status', 'info', 'keystone'], 'Session registered'); + multiTenancy.bind(server); + } else { + server.log(['status', 'error', 'keystone'], error); + throw error; + } + }); } }; - const callback = (error) => { - if (!error) { - server.log(['session', 'debug'], 'Session registered'); - } else { - server.log(['session', 'error'], error); - throw error; - } - }; - - server.register(registerOpts, callback); }; diff --git a/server/util/index.js b/server/util/index.js index 6bffcad..3211722 100644 --- a/server/util/index.js +++ b/server/util/index.js @@ -13,7 +13,9 @@ */ module.exports = { - startsWith: startsWith + startsWith: startsWith, + requestPath: getRequestPath, + isESRequest: isESRequest }; function startsWith(str) { @@ -25,3 +27,11 @@ function startsWith(str) { } return false; } + +function getRequestPath(request) { + return request.url.path; +} + +function isESRequest(request) { + return startsWith(getRequestPath(request), '/elasticsearch'); +}