All files / src/middleware authorisation.coffee

48.84% Statements 21/43
8.33% Branches 1/12
0% Functions 0/7
48.78% Lines 20/41
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 702x 2x 2x 2x 2x 2x 2x   2x 2x 2x 2x 2x   2x 2x   2x         2x                     2x           2x                                   2x                     2x  
Q = require "q"
logger = require "winston"
atna = require 'atna-audit'
config = require '../config/config'
config.authentication = config.get('authentication')
utils = require '../utils'
auditing = require '../auditing'
 
statsdServer = config.get 'statsd'
application = config.get 'application'
himSourceID = config.get('auditing').auditEvents.auditSourceID
SDC = require 'statsd-client'
os = require 'os'
 
domain = "#{os.hostname()}.#{application.name}.appMetrics"
sdc = new SDC statsdServer
 
genAuthAudit = (remoteAddress) ->
  audit = atna.nodeAuthentication remoteAddress, himSourceID, os.hostname(), atna.OUTCOME_MINOR_FAILURE
  audit = atna.wrapInSyslog audit
  return audit
 
authoriseClient = (channel, ctx) ->
  if ctx.authenticated? and channel.allow?
    if ctx.authenticated.roles?
      for role in channel.allow
        if role in ctx.authenticated.roles
          return true
    if ctx.authenticated.clientID in channel.allow
      return true
 
  return false
 
authoriseIP = (channel, ctx) ->
  if channel.whitelist?.length > 0
    return ctx.ip in channel.whitelist
  else
    return true # whitelist auth not required
 
exports.authorise = (ctx, done) ->
 
  channel = ctx.matchingChannel
 
  if channel? and authoriseIP(channel, ctx) and (channel.authType is 'public' or authoriseClient(channel, ctx))
    # authorisation succeeded
    ctx.authorisedChannel = channel
    logger.info "The request, '#{ctx.request.path}' is authorised to access #{ctx.authorisedChannel.name}"
  else
    # authorisation failed
    ctx.response.status = 401
    if config.authentication.enableBasicAuthentication
      ctx.set "WWW-Authenticate", "Basic"
    logger.info "The request, '#{ctx.request.path}', is not authorised to access any channels."
    auditing.sendAuditEvent genAuthAudit(ctx.ip), -> logger.debug 'Processed nodeAuthentication audit'
 
  done()
 
exports.koaMiddleware = (next) ->
  startTime = new Date() if statsdServer.enabled
  authorise = Q.denodeify exports.authorise
  yield authorise this
  if this.authorisedChannel?
    sdc.timing "#{domain}.authorisationMiddleware", startTime if statsdServer.enabled
    yield next
 
# export private functions for unit testing
# note: you cant spy on these method because of this :(
if process.env.NODE_ENV == "test"
  exports.genAuthAudit = genAuthAudit