Fine grained access control

package.json

@@ -27,7 +27,7 @@
     "eslint": "8.56.0",
     "esmock": "^2.6.4",
     "mocha": "^10.2.0",
-    "wrangler": "^3.57.0"
+    "wrangler": "^3.103.0"
   },
   "lint-staged": {
     "*.js": "eslint",

src/handlers/post.js

@@ -9,6 +9,7 @@
  * OF ANY KIND, either express or implied. See the License for the specific language
  * governing permissions and limitations under the License.
  */
+import { logout } from '../utils/auth.js';
 import { postSource } from '../routes/source.js';
 import { postConfig } from '../routes/config.js';
 import { postVersionSource } from '../routes/version.js';
@@ -23,6 +24,7 @@
   if (path.startsWith('/versionsource')) return postVersionSource({ req, env, daCtx });
   if (path.startsWith('/copy')) return copyHandler({ req, env, daCtx });
   if (path.startsWith('/move')) return moveRoute({ req, env, daCtx });
+  if (path.startsWith('/logout')) return logout({ env, daCtx });
 
   return undefined;
 }

src/index.js

@@ -48,6 +48,6 @@ export default {
         respObj = unknownHandler();
     }
 
-    return daResp(respObj);
+    return daResp(respObj, daCtx);
   },
 };

src/routes/config.js

@@ -12,11 +12,22 @@
 
 import putKv from '../storage/kv/put.js';
 import getKv from '../storage/kv/get.js';
+import { hasPermission } from '../utils/auth.js';
+
+export async function postConfig({ req, env, daCtx }) {
+  if (!hasPermission(daCtx, 'CONFIG', 'write', true)) {
+    return { status: 403 };
+  }
 
-export function postConfig({ req, env, daCtx }) {
   return putKv(req, env, daCtx);
 }
 
-export function getConfig({ env, daCtx }) {
+export async function getConfig({ env, daCtx }) {
+  // // TODO maybe we should turn the order around?
+  // if (!hasPermission(daCtx, 'CONFIG', 'read', true)) {
+  //   const key = daCtx.key.startsWith('/') ? daCtx.key : `/${daCtx.key}`
+  //   if (!hasPermission(daCtx, key, 'read', true)) { // TODO
+  //     return { status: 403 };
+  // }
   return getKv(env, daCtx);
 }

src/routes/copy.js

@@ -11,8 +11,11 @@
  */
 import copyObject from '../storage/object/copy.js';
 import copyHelper from '../helpers/copy.js';
+import { hasPermission } from '../utils/auth.js';
 
 export default async function copyHandler({ req, env, daCtx }) {
   const details = await copyHelper(req, daCtx);
+  if (!hasPermission(daCtx, details.source, 'read')
+    || !hasPermission(daCtx, details.destination, 'write')) return { status: 403 };
   return copyObject(env, daCtx, details, false);
 }

src/routes/list.js

@@ -11,8 +11,10 @@
  */
 import listBuckets from '../storage/bucket/list.js';
 import listObjects from '../storage/object/list.js';
+import { hasPermission } from '../utils/auth.js';
 
-export default function getList({ env, daCtx }) {
+export default async function getList({ env, daCtx }) {
   if (!daCtx.org) return listBuckets(env, daCtx);
+  if (!hasPermission(daCtx, daCtx.key, 'read')) return { status: 403 };
   return listObjects(env, daCtx);
 }

src/routes/move.js

@@ -11,9 +11,12 @@
  */
 import moveObject from '../storage/object/move.js';
 import moveHelper from '../helpers/move.js';
+import { hasPermission } from '../utils/auth.js';
 
 export default async function moveRoute({ req, env, daCtx }) {
   const details = await moveHelper(req, daCtx);
   if (details.error) return details.error;
+  if (!hasPermission(daCtx, details.source, 'write')
+    || !hasPermission(daCtx, details.destination, 'write')) return { status: 403 };
   return moveObject(env, daCtx, details);
 }

src/routes/source.js

@@ -16,13 +16,16 @@ import { invalidateCollab } from '../storage/utils/object.js';
 
 import putHelper from '../helpers/source.js';
 import deleteHelper from '../helpers/delete.js';
+import { hasPermission } from '../utils/auth.js';
 
 export async function deleteSource({ req, env, daCtx }) {
+  if (!hasPermission(daCtx, daCtx.key, 'write')) return { status: 403 };
   const details = await deleteHelper(req);
   return /* await */ deleteObjects(env, daCtx, details);
 }
 
 export async function postSource({ req, env, daCtx }) {
+  if (!hasPermission(daCtx, daCtx.key, 'write')) return { status: 403 };
   const obj = await putHelper(req, env, daCtx);
   const resp = await putObject(env, daCtx, obj);
 
@@ -36,5 +39,6 @@ export async function postSource({ req, env, daCtx }) {
 }
 
 export async function getSource({ env, daCtx, head }) {
+  if (!hasPermission(daCtx, daCtx.key, 'read')) return { status: 403 };
   return getObject(env, daCtx, head);
 }

src/routes/version.js

@@ -13,15 +13,24 @@
 import { getObjectVersion } from '../storage/version/get.js';
 import { listObjectVersions } from '../storage/version/list.js';
 import { postObjectVersion } from '../storage/version/put.js';
+import { hasPermission } from '../utils/auth.js';
 
 export async function getVersionList({ env, daCtx }) {
+  if (!hasPermission(daCtx, daCtx.key, 'read')) return { status: 403 };
   return listObjectVersions(env, daCtx);
 }
 
 export async function getVersionSource({ env, daCtx, head }) {
-  return getObjectVersion(env, daCtx, head);
+  // daCtx.key is something like
+  // 'f85f9b05-ae48-485b-a3b3-dd203ac5c734/1b7e005b-8602-4053-b920-8e67ad8e8dba.html’
+  // so we have to do the permission check when the object is returned from the metadata.
+
+  const resp = await getObjectVersion(env, daCtx, head);
+  if (!hasPermission(daCtx, resp.metadata?.path, 'read')) return { status: 403 };
+  return resp;
 }
 
 export async function postVersionSource({ req, env, daCtx }) {
+  if (!hasPermission(daCtx, daCtx.key, 'write')) return { status: 403 };
   return postObjectVersion(req, env, daCtx);
 }

src/storage/bucket/list.js

@@ -9,15 +9,14 @@
  * OF ANY KIND, either express or implied. See the License for the specific language
  * governing permissions and limitations under the License.
  */
-import { isAuthorized } from '../../utils/auth.js';
+import { hasPermission } from '../../utils/auth.js';
 
 async function isBucketAuthed(env, daCtx, bucket) {
   const { name, created } = bucket;
-  const userAuth = await Promise.all(
-    daCtx.users.map(async (user) => isAuthorized(env, name, user)),
-  );
-  const notAuthed = userAuth.some((authed) => !authed);
-  if (notAuthed) return null;
+
+  if (!hasPermission(daCtx, name, 'read')) {
+    return null;
+  }
   return { name, created };
 }
 

src/storage/kv/put.js

@@ -10,12 +10,31 @@
  * governing permissions and limitations under the License.
  */
 
+function checkConfigWriter(json) {
+  // Handle both single and multi-sheet
+  const data = json[':sheetname'] === 'permissions' && json[':type'] === 'sheet'
+    ? json.data
+    : json?.permissions?.data;
+
+  if (!data) return true; // Not a permission sheet
+
+  return data.some((e) => e.path?.trim() === 'CONFIG' && e.actions?.trim() === 'write' && e.groups?.trim().length > 0);
+}
+
 async function save(env, key, string) {
   let body;
   let status;
   try {
     // Parse it to at least validate its json
-    JSON.parse(string);
+    const json = JSON.parse(string);
+
+    if (!checkConfigWriter(json)) {
+      return {
+        body: JSON.stringify({ error: 'Should at least specify one user or group that has CONFIG write permission' }),
+        status: 400,
+      };
+    }
+
     // Put it (seems to not return a response)
     await env.DA_CONFIG.put(key, string);
     // Validate the content is there

src/storage/object/copy.js

@@ -19,12 +19,21 @@ import getS3Config from '../utils/config.js';
 import { invalidateCollab } from '../utils/object.js';
 import { putObjectWithVersion } from '../version/put.js';
 import { listCommand } from '../utils/list.js';
+import { hasPermission } from '../../utils/auth.js';
 
 const MAX_KEYS = 900;
 
 export const copyFile = async (config, env, daCtx, sourceKey, details, isRename) => {
   const Key = `${sourceKey.replace(details.source, details.destination)}`;
 
+  if (!hasPermission(daCtx, sourceKey, 'read') || !hasPermission(daCtx, Key, 'write')) {
+    return {
+      $metadata: {
+        httpStatusCode: 403,
+      },
+    };
+  }
+
   const input = {
     Bucket: `${daCtx.org}-content`,
     Key,

src/storage/object/delete.js

@@ -18,6 +18,7 @@ import getS3Config from '../utils/config.js';
 import { invalidateCollab } from '../utils/object.js';
 // import { postObjectVersionWithLabel } from '../version/put.js';
 import { listCommand } from '../utils/list.js';
+import { hasPermission } from '../../utils/auth.js';
 
 export async function deleteObject(client, daCtx, Key, env /* , isMove = false */) {
   // const fname = Key.split('/').pop();
@@ -52,9 +53,9 @@ export default async function deleteObjects(env, daCtx, details) {
 
   try {
     const { sourceKeys, continuationToken } = await listCommand(daCtx, details, client);
-    await Promise.all(sourceKeys.map(async (key) => {
-      await deleteObject(client, daCtx, key, env);
-    }));
+
+    const deleteKeys = sourceKeys.filter((key) => hasPermission(daCtx, key, 'write'));
+    await Promise.all(deleteKeys.map(async (key) => deleteObject(client, daCtx, key, env)));
 
     if (continuationToken) {
       return { body: JSON.stringify({ continuationToken }), status: 206 };

src/storage/object/move.js

@@ -17,6 +17,7 @@ import {
 import getS3Config from '../utils/config.js';
 import { deleteObject } from './delete.js';
 import { copyFile } from './copy.js';
+import { hasPermission } from '../../utils/auth.js';
 
 function buildInput(org, key) {
   return {
@@ -49,18 +50,21 @@ export default async function moveObject(env, daCtx, details) {
       const { Contents = [], NextContinuationToken } = resp;
       sourceKeys.push(...Contents.map(({ Key }) => Key));
 
-      const movedLoad = sourceKeys.map(async (key) => {
-        const result = { key };
-        const copied = await copyFile(config, env, daCtx, key, details, true);
-        // Only delete the source if the file was successfully copied
-        if (copied.$metadata.httpStatusCode === 200) {
-          const deleted = await deleteObject(client, daCtx, key, env, true);
-          result.status = deleted.status === 204 ? 204 : deleted.status;
-        } else {
-          result.status = copied.$metadata.httpStatusCode;
-        }
-        return result;
-      });
+      const movedLoad = sourceKeys
+        .filter((key) => hasPermission(daCtx, key, 'write'))
+        .filter((key) => hasPermission(daCtx, key.replace(details.source, details.destination), 'write'))
+        .map(async (key) => {
+          const result = { key };
+          const copied = await copyFile(config, env, daCtx, key, details, true);
+          // Only delete the source if the file was successfully copied
+          if (copied.$metadata.httpStatusCode === 200) {
+            const deleted = await deleteObject(client, daCtx, key, env, true);
+            result.status = deleted.status === 204 ? 204 : deleted.status;
+          } else {
+            result.status = copied.$metadata.httpStatusCode;
+          }
+          return result;
+        });
 
       results.push(...await Promise.all(movedLoad));