Fix permissions

vdechef · Feb 21, 2023 · ac3799b · ac3799b
1 parent 04ac937
commit ac3799b
Show file tree

Hide file tree

Showing 19 changed files with 149 additions and 125 deletions.
diff --git a/1_cookie/README.md b/1_cookie/README.md
@@ -0,0 +1,4 @@
+Pour démarrer le serveur
+- npm i
+- npm run dev
+- ouvrir http://localhost:3000 dans Firefox
diff --git a/2_vanilla-xss/README.md b/2_vanilla-xss/README.md
@@ -0,0 +1,4 @@
+Pour démarrer le serveur
+- npm i
+- npm run dev
+- ouvrir http://localhost:3000 dans Firefox
diff --git a/3_vue-xss/README.md b/3_vue-xss/README.md
@@ -1,29 +1,8 @@
-# vue-xss
-
-This template should help get you started developing with Vue 3 in Vite.
-
-## Recommended IDE Setup
-
-[VSCode](https://code.visualstudio.com/) + [Volar](https://marketplace.visualstudio.com/items?itemName=Vue.volar) (and disable Vetur) + [TypeScript Vue Plugin (Volar)](https://marketplace.visualstudio.com/items?itemName=Vue.vscode-typescript-vue-plugin).
-
-## Customize configuration
-
-See [Vite Configuration Reference](https://vitejs.dev/config/).
-
-## Project Setup
-
-```sh
-npm install
-```
-
-### Compile and Hot-Reload for Development
-
-```sh
-npm run dev
-```
-
-### Compile and Minify for Production
-
-```sh
-npm run build
-```
+Pour démarrer le backend
+- cd 2_vanilla-xss
+- npm run dev
+
+Pour démarrer le frontend
+- npm i
+- npm run dev
+- ouvrir http://localhost:4000 dans Firefox
diff --git a/4_csrf/README.md b/4_csrf/README.md
@@ -0,0 +1,6 @@
+Pour démarrer le serveur
+- npm i
+- npm run dev
+- ouvrir http://localhost:3000 dans Firefox
+
+Copier le code de csrf.html sur codepen.io pour tester une requete cross-site
diff --git a/5_sqli/README.md b/5_sqli/README.md
@@ -0,0 +1,13 @@
+Pour installer la BDD
+- docker run --detach --name sqlidb -p 5000:3306 --env MARIADB_USER=mdbuser --env MARIADB_PASSWORD=mdbpassword --env MARIADB_ROOT_PASSWORD=mdbroot  mariadb:latest
+
+Pour réinitialiser le contenu de la BDD
+- docker exec -i sqlidb mysql -u root -pmdbroot < init.sql
+
+Pour démarrer la BDD les fois suivantes
+- docker start sqlidb
+
+Pour démarrer le serveur
+- npm i
+- npm run dev
+- ouvrir http://localhost:3000 dans Firefox
diff --git a/6_exceptions/README.md b/6_exceptions/README.md
@@ -0,0 +1,13 @@
+Pour installer la BDD
+- docker run --detach --name sqlidb -p 5000:3306 --env MARIADB_USER=mdbuser --env MARIADB_PASSWORD=mdbpassword --env MARIADB_ROOT_PASSWORD=mdbroot  mariadb:latest
+
+Pour réinitialiser le contenu de la BDD
+- docker exec -i sqlidb mysql -u root -pmdbroot < init.sql
+
+Pour démarrer la BDD les fois suivantes
+- docker start sqlidb
+
+Pour démarrer le serveur
+- npm i
+- npm run dev
+- ouvrir http://localhost:3000 dans Firefox
diff --git a/7_xxe/README.md b/7_xxe/README.md
@@ -0,0 +1,4 @@
+Pour démarrer le serveur
+- npm i
+- npm run dev
+- ouvrir http://localhost:3000 dans Firefox
diff --git a/8_unittests/README.md b/8_unittests/README.md
@@ -0,0 +1,16 @@
+Pour installer la BDD
+- docker run --detach --name sqlidb -p 5000:3306 --env MARIADB_USER=mdbuser --env MARIADB_PASSWORD=mdbpassword --env MARIADB_ROOT_PASSWORD=mdbroot  mariadb:latest
+
+Pour réinitialiser le contenu de la BDD
+- docker exec -i sqlidb mysql -u root -pmdbroot < init.sql
+
+Pour démarrer la BDD les fois suivantes
+- docker start sqlidb
+
+Pour démarrer le serveur
+- npm i
+- npm run dev
+- ouvrir http://localhost:3000 dans Firefox
+
+Pour lancer les tests
+- npm run test
diff --git a/9_cypress/README.md b/9_cypress/README.md
@@ -0,0 +1,8 @@
+Pour démarrer le serveur
+- npm i
+- npm run dev
+- ouvrir http://localhost:3000 dans Firefox
+
+Pour lancer les tests cypress
+- npm run test
+- e2e tests dans chromium
diff --git a/9_cypress/cypress/e2e/routes.cy.js b/9_cypress/cypress/e2e/routes.cy.js
@@ -7,7 +7,7 @@ describe("Get Endpoints", () => {
         cy.get("[data-cy='xssPage']").click()
 
         // find textarea and set text into it
-        cy.get("textarea").type("mon texte")
+        cy.get("#saisie").type("mon texte")
         // click on button to send
         cy.contains("Envoyer").click()
         // check that message is displayed

diff --git a/9_cypress/package.json b/9_cypress/package.json
@@ -4,7 +4,8 @@
   "description": "",
   "main": "index.js",
   "scripts": {
-    "dev": "supervisor server.js"
+    "dev": "supervisor server.js",
+    "test": "cypress open"
   },
   "author": "",
   "license": "ISC",

diff --git a/a_permissions/README.md b/a_permissions/README.md
@@ -0,0 +1,11 @@
+Code adapté de https://github.com/cornflourblue/node-role-based-authorization-api.git
+
+Pour lancer le backend
+- cd backend
+- npm i
+- npm run dev
+
+Pour lancer le frontend
+- cd frontend
+- npm i
+- npm run dev
diff --git a/a_permissions/backend/_helpers/authorize.js b/a_permissions/backend/_helpers/authorize.js
@@ -1,28 +1,39 @@
 const jwt = require('express-jwt');
 const { secret } = require('config.json');
+const Role = require('./role');
+const Permission = require('./permission');
 
 module.exports = authorize;
 
-function authorize(roles = []) {
-    // roles param can be a single role string (e.g. Role.User or 'User') 
-    // or an array of roles (e.g. [Role.Admin, Role.User] or ['Admin', 'User'])
-    if (typeof roles === 'string') {
-        roles = [roles];
-    }
+function authorize(permission) {
 
     return [
         // authenticate JWT token and attach user to request object (req.user)
         jwt({ secret, algorithms: ['HS256'] }),
 
         // authorize based on user role
         (req, res, next) => {
-            if (roles.length && !roles.includes(req.user.role)) {
+            let isAuthorized = false
+            if (permission === Permission.FREE_ACCESS) {
+                // route without permission => allow every authenticated users
+                isAuthorized = true
+            }
+            else if (req.user.role) {
+                // retrieve permissions for role
+                const role = Role[req.user.role]
+                if (role && role.permissions.includes(permission)) {
+                    isAuthorized = true
+                }
+            }
+            if (!isAuthorized) {
                 // user's role is not authorized
                 return res.status(401).json({ message: 'Unauthorized' });
             }
+            else {
+                // authentication and authorization successful
+                next();
+            }
 
-            // authentication and authorization successful
-            next();
         }
     ];
 }
diff --git a/a_permissions/backend/_helpers/permission.js b/a_permissions/backend/_helpers/permission.js
@@ -0,0 +1,6 @@
+module.exports = {
+    LIST_USERS: "list_all_users",
+    VIEW_PROFILE: "view_user_profile",
+    FREE_ACCESS: "everybody"
+}
+
diff --git a/a_permissions/backend/_helpers/role.js b/a_permissions/backend/_helpers/role.js
@@ -1,4 +1,23 @@
+const Permission = require("./permission")
+
 module.exports = {
-    Admin: 'Admin',
-    User: 'User'
+    Admin: {
+        name: "Admin",
+        permissions: [
+            Permission.LIST_USERS,
+            Permission.VIEW_PROFILE
+        ]
+    },
+    User: {
+        name: "User",
+        permissions: [
+            Permission.VIEW_PROFILE
+        ]
+    },
+    Guest: {
+        name: "Guest",
+        permissions: [
+            // nothing. Only FREE_ACCESS will be allowed for guests
+        ]
+    }
 }
diff --git a/a_permissions/backend/users/user.service.js b/a_permissions/backend/users/user.service.js
@@ -4,8 +4,8 @@ const Role = require('_helpers/role');
 
 // users hardcoded for simplicity, store in a db for production applications
 const users = [
-    { id: 1, username: 'admin', password: 'admin', firstName: 'Admin', lastName: 'User', role: Role.Admin },
-    { id: 2, username: 'user', password: 'user', firstName: 'Normal', lastName: 'User', role: Role.User }
+    { id: 1, username: 'admin', password: 'admin', firstName: 'Admin', lastName: 'User', role: Role.Admin.name },
+    { id: 2, username: 'user', password: 'user', firstName: 'Normal', lastName: 'User', role: Role.User.name }
 ];
 
 module.exports = {

diff --git a/a_permissions/backend/users/users.controller.js b/a_permissions/backend/users/users.controller.js
@@ -2,12 +2,13 @@
 const router = express.Router();
 const userService = require('./user.service');
 const authorize = require('_helpers/authorize')
+const Permission = require('_helpers/permission');
 const Role = require('_helpers/role');
 
 // routes
 router.post('/authenticate', authenticate);     // public route
-router.get('/', authorize(Role.Admin), getAll); // admin only
-router.get('/:id', authorize(), getById);       // all authenticated users
+router.get('/', authorize(Permission.LIST_USERS), getAll); // admin only
+router.get('/:id', authorize(Permission.VIEW_PROFILE), getById);       // all authenticated users
 module.exports = router;
 
 function authenticate(req, res, next) {
@@ -23,12 +24,15 @@ function getAll(req, res, next) {
 }
 
 function getById(req, res, next) {
-    const currentUser = req.user;
+    const currentUserId = req.user.sub;
     const id = parseInt(req.params.id);
 
-    // only allow admins to access other user records
-    if (id !== currentUser.sub && currentUser.role !== Role.Admin) {
-        return res.status(401).json({ message: 'Unauthorized' });
+    // only allow users with LIST_USERS permission to access other users records
+    if (id !== currentUserId) {
+        const role = Role[req.user.role]
+        if (!role || !role.permissions.includes(Permission.LIST_USERS)) {
+            return res.status(401).json({ message: 'Unauthorized' });
+        }
     }
 
     userService.getById(req.params.id)

diff --git a/a_permissions/frontend/src/_helpers/fake-backend.js b/a_permissions/frontend/src/_helpers/fake-backend.js
diff --git a/a_permissions/frontend/src/_helpers/index.js b/a_permissions/frontend/src/_helpers/index.js
@@ -1,4 +1,3 @@
-export * from './fake-backend';
 export * from './handle-response';
 export * from './request-options';
 export * from './role';