Skip to content

Commit

Permalink
Merge pull request #1379 from balena-io/export-augmentReqApiKeyPermis…
Browse files Browse the repository at this point in the history
…sions

Export the augmentReqApiKeyPermissions api key helper
  • Loading branch information
flowzone-app[bot] authored Aug 30, 2023
2 parents 91fb0f4 + 6af0fa2 commit ff9e4dd
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 8 deletions.
23 changes: 20 additions & 3 deletions src/features/api-keys/lib.ts
Original file line number Diff line number Diff line change
Expand Up @@ -335,10 +335,27 @@ export const augmentReqApiKeyPermissions = <
T extends permissions.PermissionReq,
>(
req: T,
...extraPermissions: string[]
extraPermissions: string[],
/**
* When mutateRequestObject is
* false: A new request object with augmented permissions is returned to be used for specific tasks,
* while the rest of the code (eg: middleware & hooks) still runs with permissions the original request.
* true: The permissions are augmented for the whole lifetime of the request.
*/
mutateRequestObject = false,
): T => {
const augmentedReq = _.clone(req);
augmentedReq.apiKey = _.cloneDeep(augmentedReq.apiKey);
let augmentedReq = req;

if (!mutateRequestObject) {
augmentedReq = _.clone(req);
augmentedReq.apiKey = _.cloneDeep(augmentedReq.apiKey);
} else if (augmentedReq.apiKey?.permissions) {
// When mutateRequestObject === true we still need to clone
// the permissions array rather than modifying it directly
// so that we do not pollute pine's apiKeyPermissions cache.
augmentedReq.apiKey.permissions = [...augmentedReq.apiKey.permissions];
}

augmentedReq.apiKey?.permissions?.push(...extraPermissions);
return augmentedReq;
};
2 changes: 1 addition & 1 deletion src/features/auth/public-keys.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ export const getUserPublicKeys: RequestHandler = async (req, res) => {
// Augment with the ability to resolve the user's username for this request only, there's no need
// for device keys to have the ability by default. Access to the public key will still be restricted
// by `user__has__public_key` so this only affects the ability to resolve the username they apply to
req = augmentReqApiKeyPermissions(req, 'resin.user.read');
req = augmentReqApiKeyPermissions(req, ['resin.user.read']);
const data = (await sbvrUtils.api.resin.get({
resource: 'user__has__public_key',
options: {
Expand Down
5 changes: 2 additions & 3 deletions src/features/device-provisioning/register.ts
Original file line number Diff line number Diff line change
Expand Up @@ -58,14 +58,13 @@ export const register: RequestHandler = async (req, res) => {
* - Fetch the device we create & create an api key for it
* - Read the hostApp releases that should be operating the device
*/
req = augmentReqApiKeyPermissions(
req,
req = augmentReqApiKeyPermissions(req, [
'resin.device.read',
'resin.device.create-device-api-key',
`resin.application.read?is_public eq true and is_host eq true and is_for__device_type/canAccess()`,
'resin.release.read?belongs_to__application/canAccess()',
`resin.release_tag.read?release/canAccess()`,
);
]);

const response = await sbvrUtils.db.transaction(async (tx) => {
// TODO: Replace this manual rollback on request closure with a more generic/automated version
Expand Down
6 changes: 5 additions & 1 deletion src/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,10 @@ import {
import { createScopedAccessToken, createJwt } from './infra/auth/jwt';
import { resolveOrDenyDevicesWithStatus } from './features/device-state/middleware';
import { middleware as authMiddleware } from './infra/auth';
import { isApiKeyWithRole } from './features/api-keys/lib';
import {
augmentReqApiKeyPermissions,
isApiKeyWithRole,
} from './features/api-keys/lib';
import { setupDeleteCascade as addDeleteHookForDependents } from './features/cascade-delete/setup-delete-cascade';
import {
updateOrInsertModel,
Expand Down Expand Up @@ -225,6 +228,7 @@ export const utils = {
throttledForEach,
};
export const apiKeys = {
augmentReqApiKeyPermissions,
isApiKeyWithRole,
};
export const application = {
Expand Down

0 comments on commit ff9e4dd

Please sign in to comment.