skyquake/framework/core/api_utils/auth.js

   1 /*
   2  *
   3  *   Copyright 2017 RIFT.IO Inc
   4  *
   5  *   Licensed under the Apache License, Version 2.0 (the "License");
   6  *   you may not use this file except in compliance with the License.
   7  *   You may obtain a copy of the License at
   8  *
   9  *       http://www.apache.org/licenses/LICENSE-2.0
  10  *
  11  *   Unless required by applicable law or agreed to in writing, software
  12  *   distributed under the License is distributed on an "AS IS" BASIS,
  13  *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14  *   See the License for the specific language governing permissions and
  15  *   limitations under the License.
  16  *
  17  */
  18
  19 /**
  20  * Auth util for use across the api_server.
  21  * @module framework/core/api_utils/auth
  22  * @author Kiran Kashalkar <kiran.kashalkar@riftio.com>
  23  */
  24
  25 var jsonLoader = require('require-json');
  26 var passport = require('passport');
  27 var OpenIdConnectStrategy = require('passport-openidconnect').Strategy;
  28 var BearerStrategy = require('passport-http-bearer').Strategy;
  29 var OAuth2Strategy = require('passport-oauth2');
  30 var OAuth2RefreshTokenStrategy = require('passport-oauth2-middleware').Strategy;
  31 var openidConnectConfig = require('./openidconnect_config.json');
  32 var _ = require('lodash');
  33 var constants = require('./constants');
  34 var utils = require('./utils');
  35 var request = utils.request;
  36 var rp = require('request-promise');
  37 var nodeutil = require('util');
  38
  39
  40 var Authorization = function(openidConfig) {
  41
  42     var self = this;
  43
  44     self.passport = passport;
  45
  46     self.openidConnectConfig = openidConnectConfig;
  47
  48     var refreshStrategy = new OAuth2RefreshTokenStrategy({
  49         refreshWindow: constants.REFRESH_WINDOW, // Time in seconds to perform a token refresh before it expires
  50         userProperty: 'user', // Active user property name to store OAuth tokens
  51         authenticationURL: '/login', // URL to redirect unauthorized users to
  52         callbackParameter: 'callback' //URL query parameter name to pass a return URL
  53     });
  54
  55     self.passport.use('main', refreshStrategy);
  56
  57     var openidConfigPrefix = openidConfig.idpServerProtocol + '://' + openidConfig.idpServerAddress + ':' + openidConfig.idpServerPortNumber;
  58
  59     self.openidConnectConfig.authorizationURL = openidConfigPrefix + self.openidConnectConfig.authorizationURL;
  60     self.openidConnectConfig.tokenURL = openidConfigPrefix + self.openidConnectConfig.tokenURL;
  61     self.openidConnectConfig.callbackURL = openidConfig.callbackServerProtocol + '://' + openidConfig.callbackAddress + ':' + openidConfig.callbackPortNumber + self.openidConnectConfig.callbackURL;
  62
  63     var userInfoURL = openidConfigPrefix + self.openidConnectConfig.userInfoURL;
  64
  65     function SkyquakeOAuth2Strategy(options, verify) {
  66         OAuth2Strategy.call(this, options, verify);
  67     }
  68     nodeutil.inherits(SkyquakeOAuth2Strategy, OAuth2Strategy);
  69
  70     SkyquakeOAuth2Strategy.prototype.userProfile = function(access_token, done) {
  71
  72         var requestHeaders = {
  73             'Authorization': 'Bearer ' + access_token
  74         };
  75
  76         request({
  77             url: userInfoURL,
  78             type: 'GET',
  79             headers: requestHeaders,
  80             forever: constants.FOREVER_ON,
  81             rejectUnauthorized: constants.REJECT_UNAUTHORIZED
  82         }, function(err, response, body) {
  83             if (err) {
  84                 console.log('Error obtaining userinfo: ', err);
  85                 return done(null, {
  86                     username: '',
  87                     subject: ''
  88                 });
  89             } else {
  90                 if (response.statusCode == constants.HTTP_RESPONSE_CODES.SUCCESS.OK) {
  91                     try {
  92                         var data = JSON.parse(response.body);
  93                         var username = data['preferred_username'];
  94                         var subject = data['sub'];
  95                         var domain = data['user_domain'] || 'system';
  96                         return done(null, {
  97                             username: username,
  98                             subject: subject,
  99                             domain: domain
 100                         })
 101                     } catch (ex) {
 102                         console.log('Error parsing userinfo data');
 103                         return done(null, {
 104                             username: '',
 105                             subject: ''
 106                         });
 107                     }
 108                 }
 109             }
 110         })
 111     };
 112
 113     var oauthStrategy = new SkyquakeOAuth2Strategy(self.openidConnectConfig,
 114         refreshStrategy.getOAuth2StrategyCallback());
 115
 116     self.passport.use('oauth2', oauthStrategy);
 117     refreshStrategy.useOAuth2Strategy(oauthStrategy);
 118
 119     self.passport.serializeUser(function(user, done) {
 120         done(null, user);
 121     });
 122
 123     self.passport.deserializeUser(function(obj, done) {
 124         done(null, obj);
 125     });
 126
 127 };
 128
 129 Authorization.prototype.configure = function(config) {
 130         this.config = config;
 131         // Initialize Passport and restore authentication state, if any, from the
 132     // session.
 133     if (this.config.app) {
 134         this.config.app.use(this.passport.initialize());
 135         this.config.app.use(this.passport.session());
 136     } else {
 137         console.log('FATAL error. Bad config passed into authorization module');
 138     }
 139 };
 140
 141 Authorization.prototype.invalidate_token = function(token) {
 142
 143 };
 144
 145 module.exports = Authorization;