Commit e8bac496 authored by Diego Molteni's avatar Diego Molteni
Browse files

feat: added error handling and marked the /sdpath tenant as obsolete

parent a31d434c
......@@ -1335,7 +1335,7 @@ paths:
description: "<ul><li>Return the seistore path to a tenant associated with the data partition.</li><li>Required roles: none</li></ul>"
operationId: tenant-sdpath
tags:
- Tenant
- Tenant (Obsolete)
parameters:
- description: "Datapartition of the tenant."
in: query
......
......@@ -1345,7 +1345,7 @@ paths:
description: "<ul><li>Return the seistore path to a tenant associated with the data partition.</li><li>Required roles: none</li></ul>"
operationId: tenant-sdpath
tags:
- Tenant
- Tenant (Obsolete)
parameters:
- description: "Datapartition of the tenant"
in: query
......
......@@ -100,87 +100,92 @@ export class Server {
this.app.disable('x-powered-by');
this.app.use(cors(this.corsOptions));
this.app.options('*', cors());
this.app.use('/seistore-svc/api/v3/swagger-ui.html',swaggerUi.serve, swaggerUi.setup(swaggerDocument,{
this.app.use('/seistore-svc/api/v3/swagger-ui.html', swaggerUi.serve, swaggerUi.setup(swaggerDocument, {
customCss: '.swagger-ui .topbar { display: none }'
}));
this.app.use(async (req: express.Request, res: express.Response, next: express.NextFunction) => {
// Audience Check Reporting
// This will be temporary used instead of the more generic JWKS PROXY.
// We want a non-fail check that report only the missing audience
// slb requirement - to support client migration in september 2021
// This will be removed and replace in october 2021 with the generic JWKS PROXY
if(Config.ENABLE_SDMS_ID_AUDIENCE_CHECK) {
if(req.headers.authorization) {
const audience = Utils.getAudienceFromPayload(req.headers.authorization);
const sdmsID = AuthProviderFactory.build(Config.SERVICE_AUTH_PROVIDER).getClientID();
if((Array.isArray(audience) && audience.indexOf(sdmsID) === -1) || (audience !== sdmsID)) {
if(audience.indexOf(sdmsID) === -1) {
LoggerFactory.build(Config.CLOUDPROVIDER).info('[audience] ' +
JSON.stringify(Utils.getPayloadFromStringToken(req.headers.authorization)));
try {
// Audience Check Reporting
// This will be temporary used instead of the more generic JWKS PROXY.
// We want a non-fail check that report only the missing audience
// slb requirement - to support client migration in september 2021
// This will be removed and replace in october 2021 with the generic JWKS PROXY
if (Config.ENABLE_SDMS_ID_AUDIENCE_CHECK) {
if (req.headers.authorization) {
const audience = Utils.getAudienceFromPayload(req.headers.authorization);
const sdmsID = AuthProviderFactory.build(Config.SERVICE_AUTH_PROVIDER).getClientID();
if ((Array.isArray(audience) && audience.indexOf(sdmsID) === -1) || (audience !== sdmsID)) {
if (audience.indexOf(sdmsID) === -1) {
LoggerFactory.build(Config.CLOUDPROVIDER).info('[audience] ' +
JSON.stringify(Utils.getPayloadFromStringToken(req.headers.authorization)));
}
}
}
}
}
// If required, exchange the caller credentials to include the DE target audience
if(Config.ENABLE_DE_TOKEN_EXCHANGE) {
if(Config.DES_TARGET_AUDIENCE) {
if(req.headers.authorization) {
req.headers.authorization = await AuthProviderFactory.build(
Config.SERVICE_AUTH_PROVIDER).exchangeCredentialAudience(
req.headers.authorization, Config.DES_TARGET_AUDIENCE);
// If required, exchange the caller credentials to include the DE target audience
if (Config.ENABLE_DE_TOKEN_EXCHANGE) {
if (Config.DES_TARGET_AUDIENCE) {
if (req.headers.authorization) {
req.headers.authorization = await AuthProviderFactory.build(
Config.SERVICE_AUTH_PROVIDER).exchangeCredentialAudience(
req.headers.authorization, Config.DES_TARGET_AUDIENCE);
}
}
}
}
// ensure the authorization header is passed/
// the imptoken refresh method is now obsolete because was not secured.
// the imptoken endpoints are not enabled in any CSP but temporarily used in SLB only.
// the imptoken endpoints have been marked as obsoleted and will be deprecated with the
// next service upgrade (v3>v4)
if (!req.headers.authorization) {
if(!((req.method === 'PUT' && req.url.endsWith('imptoken')) || req.url.endsWith('svcstatus'))) {
Response.writeError(res, Error.make(
Error.Status.UNAUTHENTICATED,
'Unauthenticated Access. Authorizations not found in the request.'));
return;
// ensure the authorization header is passed/
// the imptoken refresh method is now obsolete because was not secured.
// the imptoken endpoints are not enabled in any CSP but temporarily used in SLB only.
// the imptoken endpoints have been marked as obsoleted and will be deprecated with the
// next service upgrade (v3>v4)
if (!req.headers.authorization) {
if (!((req.method === 'PUT' && req.url.endsWith('imptoken')) || req.url.endsWith('svcstatus'))) {
Response.writeError(res, Error.make(
Error.Status.UNAUTHENTICATED,
'Unauthenticated Access. Authorizations not found in the request.'));
return;
}
}
}
// track caller to the main log
const key = req.headers['x-api-key'] as string;
const logger = LoggerFactory.build(Config.CLOUDPROVIDER);
logger.info(
((key && key.length > 5) ? ('[***' + key.substr(key.length - 5) + '] ') : '')
+ '[' + req.method + '] ' + req.url);
// init the metrics logger
if(FeatureFlags.isEnabled(Feature.LOGGING)) {
LoggerFactory.build(Config.CLOUDPROVIDER).metric('Request Size',
req.headers['content-length'] ? +req.headers['content-length'] : 0)
}
// track caller to the main log
const key = req.headers['x-api-key'] as string;
const logger = LoggerFactory.build(Config.CLOUDPROVIDER);
logger.info(
((key && key.length > 5) ? ('[***' + key.substr(key.length - 5) + '] ') : '')
+ '[' + req.method + '] ' + req.url);
// init the metrics logger
if (FeatureFlags.isEnabled(Feature.LOGGING)) {
LoggerFactory.build(Config.CLOUDPROVIDER).metric('Request Size',
req.headers['content-length'] ? +req.headers['content-length'] : 0)
}
// forward the caller appkey if exist
// if exists ensure it does not collide the google-esp api-key (required for backward compatibility)
req[Config.DE_FORWARD_APPKEY] =
req.headers['appkey'] !== req.headers['x-api-key'] ? req.headers['appkey'] : undefined
// forward the caller appkey if exist
// if exists ensure it does not collide the google-esp api-key (required for backward compatibility)
req[Config.DE_FORWARD_APPKEY] =
req.headers['appkey'] !== req.headers['x-api-key'] ? req.headers['appkey'] : undefined
// set the header correlation id and keep a reference in the response locals
if(Config.CORRELATION_ID) {
if(!req.headers[Config.CORRELATION_ID]) {
req.headers[Config.CORRELATION_ID] = uuidv4();
// set the header correlation id and keep a reference in the response locals
if (Config.CORRELATION_ID) {
if (!req.headers[Config.CORRELATION_ID]) {
req.headers[Config.CORRELATION_ID] = uuidv4();
}
res.locals[Config.CORRELATION_ID] = req.headers[Config.CORRELATION_ID];
}
res.locals[Config.CORRELATION_ID] = req.headers[Config.CORRELATION_ID];
}
next();
next();
} catch (error) {
Response.writeError(res, error);
}
});
const jwtValidateOptions: JwtProxyOptions = {
disable: !Config.JWT_ENABLE_FEATURE,
excluded: Config.JWT_EXCLUDE_PATHS ? Config.JWT_EXCLUDE_PATHS.split(';') : [],
jwksUrl:Config.JWKS_URL,
jwksUrl: Config.JWKS_URL,
algorithms: ['RS256'],
audience: Config.JWT_AUDIENCE
}
......@@ -201,10 +206,10 @@ export class Server {
// https://github.com/nodejs/node/issues/27363
// SSL
if (Config.SSL_ENABLED){
const privateKey = fs.readFileSync(Config.SSL_KEY_PATH, 'utf8');
if (Config.SSL_ENABLED) {
const privateKey = fs.readFileSync(Config.SSL_KEY_PATH, 'utf8');
const certificate = fs.readFileSync(Config.SSL_CERT_PATH, 'utf8');
const credentials = {key: privateKey, cert: certificate};
const credentials = { key: privateKey, cert: certificate };
this.httpsServer = https.createServer(credentials, this.app).listen(this.port, () => {
// tslint:disable-next-line
console.log(`- Server is listening on port ${this.port}...`);
......
......@@ -142,11 +142,6 @@ export class TenantHandler {
const dataPartition = TenantParser.dataPartition(req);
if (FeatureFlags.isEnabled(Feature.AUTHORIZATION)) {
await Auth.isUserRegistered(req.headers.authorization,
(await TenantDAO.get(dataPartition)).esd, req[Config.DE_FORWARD_APPKEY]);
}
try {
const tenants = await TenantDAO.getAll();
if (dataPartition === 'slb') return (Config.SDPATHPREFIX + dataPartition);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment