router-authz.js revision 4c50f129b49781374cbf91f49eeb5c97546ce492
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2011-2012 ForgeRock AS. All rights reserved.
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*/
/*
* This script is called from the router "onRequest" trigger, to enforce a central
* set of authorization rules.
*
* This default implemention simply restricts requests via HTTP to users that are assigned
* an "openidm-admin" role, and optionally to those that authenticate with TLS mutual
* authentication (assigned an "openidm-cert" role).
*/
/*jslint regexp:false sub:true */
/*global httpAccessConfig */
//reinventing the wheel a bit, here; eventually move to underscore's isEqual method
return false; // mismatching types indicate a failed match
} else { // they must both be objects, so traverse them
for (i in obj1) {
return false;
}
}
for (i in obj2) { // checks for any properties in obj2 which were not in obj1, and so missed above
if (typeof(obj1[i]) === "undefined") {
return false;
}
}
return true;
}
}
if (pattern === "*") {
// Accept all patterns
return true;
// pattern matches exactly
return true;
// Ends with "/*" or "/"
// See if parent pattern matches
if (id.length >= parentResource.length && id.substring(0, parentResource.length) === parentResource) {
return true;
}
}
return false;
}
function containsIgnoreCase(a, o) {
if (typeof(a) !== 'undefined' && a !== null) {
for (i = 0; i <= a.length; i++) {
str1 = o;
str2 = a[i];
if (typeof(o) !== 'undefined' && o !== null) {
str1 = o.toLowerCase();
}
if (typeof(a[i]) !== 'undefined' && a[i] !== null) {
str2 = a[i].toLowerCase();
}
return true;
}
}
}
return false;
}
var i;
return true;
}
return true;
}
}
return false;
}
return true;
}
}
function contains(a, o) {
var i;
if (typeof(a) !== 'undefined' && a !== null) {
for (i = 0; i <= a.length; i++) {
if (a[i] === o) {
return true;
}
}
}
return false;
}
function isMyTask() {
}
}
}
function isUserCandidateForTask(taskInstanceId) {
var userCandidateTasksQueryParams = {
"_queryId": "filtered-query",
},
return true;
}
}
roles = "";
if (i === 0) {
} else {
}
}
"_queryId": "filtered-query",
};
userGroupCandidateTasks = openidm.query("workflow/taskinstance", userGroupCandidateTasksQueryParams).result;
return true;
}
}
return false;
}
function canUpdateTask() {
}
function isProcessOnUsersList(processDefinitionId) {
var processesForUserQueryParams = {
"_queryId": "query-processes-for-user",
},
isProcessOneOfUserProcesses = false,
i;
isProcessOneOfUserProcesses = true;
}
}
return isProcessOneOfUserProcesses;
}
function isAllowedToStartProcess() {
return isProcessOnUsersList(processDefinitionId);
}
function isOneOfMyWorkflows() {
return isProcessOnUsersList(processDefinitionId);
}
function isQueryOneOf(allowedQueries) {
if (
)
{
return true;
}
return false;
}
function checkIfUIIsEnabled(param) {
returnVal = false;
}
function ownDataOnly() {
// in the case of a literal read on themselves
}
getTopLevelProp = function (prop) {
// removes a leading slash and only returns the first part of a string before a possible subsequent slash
};
return true;
}
// we could accept a csv list or an array of properties for the allowedPropertiesList arg.
if (typeof allowedPropertiesList === "string") {
}
if (!request.patchOperations) {
return true;
}
// check each of the fields they are attempting to patch and make sure they are approved
for (i in request.patchOperations) {
if ((request.patchOperations[i].field && !containsIgnoreCase(allowedPropertiesList, getTopLevelProp(request.patchOperations[i].field)))) {
return false;
}
}
return true;
}
if (!currentUser) { // this would be odd, but just in case
return false;
}
// if the new value does not match the current value, then they must be updating it
// if the field they are attempting to update isn't allowed for them, then reject request.
if (!deepCompare(currentUser[i], request.content[i]) && !containsIgnoreCase(allowedPropertiesList,i)) {
return false;
}
}
return true;
}
// they should only be providing parameters that they are allowed to define
if (!containsIgnoreCase(allowedPropertiesList,i)) {
return false;
}
}
}
return true;
}
function disallowQueryExpression() {
return !request.queryExpression;
}
//////// Do not alter functions below here as part of your authz configuration
// Check resource ID
// Check excludePatterns
ex = false;
ex = true;
break;
}
}
}
if (!ex) {
// Check roles
// Check method
// Check action
return true;
}
} else {
return true;
}
}
}
}
}
}
}
return false;
}
function isAJAXRequest() {
// one of these custom headers must be present for all HTTP-based requests, to prevent CSRF attacks
// X-Requested-With is common from AJAX libraries such as jQuery
// Basic auth headers are acceptible for convenience from cURL commands;
// We don't return the request header to prompt the browser to provide basic auth headers,
// so it will only be present if someone explicitly provides them, as in a cURL request.
// The custom authn headers for OpenIDM
return true;
}
return false;
}
function allow() {
var roles,
return true;
}
action = "";
}
// Check REST requests against the access configuration
if (!isAJAXRequest()) {
return false;
}
return true;
}
}
}
// Load the access configuration script (httpAccessConfig obj)
if (!allow()) {
// console.log(request);
throw {
"code" : 403,
"message" : "Access denied"
};
}