feat: added error handling and marked the /sdpath tenant as obsolete

e8bac496 · Diego Molteni · a31d434c · e8bac496 · e8bac496 · e8bac496
Commit e8bac496 authored Sep 08, 2021 by Diego Molteni
--- a/docs/api/openapi.osdu.yaml
+++ b/docs/api/openapi.osdu.yaml
@@ -1335,7 +1335,7 @@ paths:
      description: "<ul><li>Return the seistore path to a tenant associated with the data partition.</li><li>Required roles: none</li></ul>"
      operationId: tenant-sdpath
      tags:
-        - Tenant
+        - Tenant (Obsolete)
      parameters:
        - description: "Datapartition of the tenant."
          in: query

--- a/docs/api/openapi.yaml
+++ b/docs/api/openapi.yaml
@@ -1345,7 +1345,7 @@ paths:
      description: "<ul><li>Return the seistore path to a tenant associated with the data partition.</li><li>Required roles: none</li></ul>"
      operationId: tenant-sdpath
      tags:
-        - Tenant
+        - Tenant (Obsolete)
      parameters:
        - description: "Datapartition of the tenant"
          in: query

--- a/src/server/server.ts
+++ b/src/server/server.ts
@@ -100,87 +100,92 @@ export class Server {
        this.app.disable('x-powered-by');
        this.app.use(cors(this.corsOptions));
        this.app.options('*', cors());
-        this.app.use('/seistore-svc/api/v3/swagger-ui.html',swaggerUi.serve, swaggerUi.setup(swaggerDocument,{
+        this.app.use('/seistore-svc/api/v3/swagger-ui.html', swaggerUi.serve, swaggerUi.setup(swaggerDocument, {
            customCss: '.swagger-ui .topbar { display: none }'
        }));
        this.app.use(async (req: express.Request, res: express.Response, next: express.NextFunction) => {

-            // Audience Check Reporting
-            // This will be temporary used instead of the more generic JWKS PROXY.
-            // We want a non-fail check that report only the missing audience
-            // slb requirement - to support client migration in september 2021
-            // This will be removed and replace in october 2021 with the generic JWKS PROXY
-            if(Config.ENABLE_SDMS_ID_AUDIENCE_CHECK) {
-                if(req.headers.authorization) {
-                    const audience = Utils.getAudienceFromPayload(req.headers.authorization);
-                    const sdmsID = AuthProviderFactory.build(Config.SERVICE_AUTH_PROVIDER).getClientID();
-                    if((Array.isArray(audience) && audience.indexOf(sdmsID) === -1) || (audience !== sdmsID)) {
-                        if(audience.indexOf(sdmsID) === -1) {
-                            LoggerFactory.build(Config.CLOUDPROVIDER).info('[audience] ' +
-                                JSON.stringify(Utils.getPayloadFromStringToken(req.headers.authorization)));
+            try {
+                // Audience Check Reporting
+                // This will be temporary used instead of the more generic JWKS PROXY.
+                // We want a non-fail check that report only the missing audience
+                // slb requirement - to support client migration in september 2021
+                // This will be removed and replace in october 2021 with the generic JWKS PROXY
+                if (Config.ENABLE_SDMS_ID_AUDIENCE_CHECK) {
+                    if (req.headers.authorization) {
+                        const audience = Utils.getAudienceFromPayload(req.headers.authorization);
+                        const sdmsID = AuthProviderFactory.build(Config.SERVICE_AUTH_PROVIDER).getClientID();
+                        if ((Array.isArray(audience) && audience.indexOf(sdmsID) === -1) || (audience !== sdmsID)) {
+                            if (audience.indexOf(sdmsID) === -1) {
+                                LoggerFactory.build(Config.CLOUDPROVIDER).info('[audience] ' +
+                                    JSON.stringify(Utils.getPayloadFromStringToken(req.headers.authorization)));
+                            }
                        }
                    }
                }
-            }

-            // If required, exchange the caller credentials to include the DE target audience
-            if(Config.ENABLE_DE_TOKEN_EXCHANGE) {
-                if(Config.DES_TARGET_AUDIENCE) {
-                    if(req.headers.authorization) {
-                        req.headers.authorization = await AuthProviderFactory.build(
-                            Config.SERVICE_AUTH_PROVIDER).exchangeCredentialAudience(
-                                req.headers.authorization, Config.DES_TARGET_AUDIENCE);
+                // If required, exchange the caller credentials to include the DE target audience
+                if (Config.ENABLE_DE_TOKEN_EXCHANGE) {
+                    if (Config.DES_TARGET_AUDIENCE) {
+                        if (req.headers.authorization) {
+                            req.headers.authorization = await AuthProviderFactory.build(
+                                Config.SERVICE_AUTH_PROVIDER).exchangeCredentialAudience(
+                                    req.headers.authorization, Config.DES_TARGET_AUDIENCE);
+                        }
                    }
                }
-            }

-            // ensure the authorization header is passed/
-            // the imptoken refresh method is now obsolete because was not secured.
-            // the imptoken endpoints are not enabled in any CSP but temporarily used in SLB only.
-            // the imptoken endpoints have been marked as obsoleted and will be deprecated with the
-            // next service upgrade (v3>v4)
-            if (!req.headers.authorization) {
-                if(!((req.method === 'PUT' && req.url.endsWith('imptoken')) || req.url.endsWith('svcstatus'))) {
-                    Response.writeError(res, Error.make(
-                        Error.Status.UNAUTHENTICATED,
-                        'Unauthenticated Access. Authorizations not found in the request.'));
-                    return;
+                // ensure the authorization header is passed/
+                // the imptoken refresh method is now obsolete because was not secured.
+                // the imptoken endpoints are not enabled in any CSP but temporarily used in SLB only.
+                // the imptoken endpoints have been marked as obsoleted and will be deprecated with the
+                // next service upgrade (v3>v4)
+                if (!req.headers.authorization) {
+                    if (!((req.method === 'PUT' && req.url.endsWith('imptoken')) || req.url.endsWith('svcstatus'))) {
+                        Response.writeError(res, Error.make(
+                            Error.Status.UNAUTHENTICATED,
+                            'Unauthenticated Access. Authorizations not found in the request.'));
+                        return;
+                    }
                }
-            }

-            // track caller to the main log
-            const key = req.headers['x-api-key'] as string;
-            const logger = LoggerFactory.build(Config.CLOUDPROVIDER);
-            logger.info(
-                ((key && key.length > 5) ? ('[***' + key.substr(key.length - 5) +  '] ') : '')
-                + '[' + req.method + '] ' + req.url);
-
-            // init the metrics logger
-            if(FeatureFlags.isEnabled(Feature.LOGGING))  {
-                LoggerFactory.build(Config.CLOUDPROVIDER).metric('Request Size',
-                    req.headers['content-length'] ? +req.headers['content-length'] : 0)
-            }
+                // track caller to the main log
+                const key = req.headers['x-api-key'] as string;
+                const logger = LoggerFactory.build(Config.CLOUDPROVIDER);
+                logger.info(
+                    ((key && key.length > 5) ? ('[***' + key.substr(key.length - 5) + '] ') : '')
+                    + '[' + req.method + '] ' + req.url);
+
+                // init the metrics logger
+                if (FeatureFlags.isEnabled(Feature.LOGGING)) {
+                    LoggerFactory.build(Config.CLOUDPROVIDER).metric('Request Size',
+                        req.headers['content-length'] ? +req.headers['content-length'] : 0)
+                }

-            // forward the caller appkey if exist
-            // if exists ensure it does not collide the google-esp api-key (required for backward compatibility)
-            req[Config.DE_FORWARD_APPKEY] =
-                req.headers['appkey'] !== req.headers['x-api-key'] ? req.headers['appkey'] : undefined
+                // forward the caller appkey if exist
+                // if exists ensure it does not collide the google-esp api-key (required for backward compatibility)
+                req[Config.DE_FORWARD_APPKEY] =
+                    req.headers['appkey'] !== req.headers['x-api-key'] ? req.headers['appkey'] : undefined

-            // set the header correlation id and keep a reference in the response locals
-            if(Config.CORRELATION_ID) {
-                if(!req.headers[Config.CORRELATION_ID]) {
-                    req.headers[Config.CORRELATION_ID] = uuidv4();
+                // set the header correlation id and keep a reference in the response locals
+                if (Config.CORRELATION_ID) {
+                    if (!req.headers[Config.CORRELATION_ID]) {
+                        req.headers[Config.CORRELATION_ID] = uuidv4();
+                    }
+                    res.locals[Config.CORRELATION_ID] = req.headers[Config.CORRELATION_ID];
                }
-                res.locals[Config.CORRELATION_ID] = req.headers[Config.CORRELATION_ID];
-            }

-            next();
+                next();
+
+            } catch (error) {
+                Response.writeError(res, error);
+            }
        });

        const jwtValidateOptions: JwtProxyOptions = {
            disable: !Config.JWT_ENABLE_FEATURE,
            excluded: Config.JWT_EXCLUDE_PATHS ? Config.JWT_EXCLUDE_PATHS.split(';') : [],
-            jwksUrl:Config.JWKS_URL,
+            jwksUrl: Config.JWKS_URL,
            algorithms: ['RS256'],
            audience: Config.JWT_AUDIENCE
        }
@@ -201,10 +206,10 @@ export class Server {
        // https://github.com/nodejs/node/issues/27363

        // SSL
-        if (Config.SSL_ENABLED){
-            const privateKey  = fs.readFileSync(Config.SSL_KEY_PATH, 'utf8');
+        if (Config.SSL_ENABLED) {
+            const privateKey = fs.readFileSync(Config.SSL_KEY_PATH, 'utf8');
            const certificate = fs.readFileSync(Config.SSL_CERT_PATH, 'utf8');
-            const credentials = {key: privateKey, cert: certificate};
+            const credentials = { key: privateKey, cert: certificate };
            this.httpsServer = https.createServer(credentials, this.app).listen(this.port, () => {
                // tslint:disable-next-line
                console.log(`- Server is listening on port ${this.port}...`);

--- a/src/services/tenant/handler.ts
+++ b/src/services/tenant/handler.ts
@@ -142,11 +142,6 @@ export class TenantHandler {

        const dataPartition = TenantParser.dataPartition(req);

-        if (FeatureFlags.isEnabled(Feature.AUTHORIZATION)) {
-            await Auth.isUserRegistered(req.headers.authorization,
-                (await TenantDAO.get(dataPartition)).esd, req[Config.DE_FORWARD_APPKEY]);
-        }
-
        try {
            const tenants = await TenantDAO.getAll();
            if (dataPartition === 'slb') return (Config.SDPATHPREFIX + dataPartition);