add validClusterAuth for the subscriptionsByTag resolver

razee-io · Jun 3, 2020 · 9656438 · 9656438
1 parent 4a3ee04
commit 9656438
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 15 deletions.
diff --git a/app/apollo/resolvers/common.js b/app/apollo/resolvers/common.js
@@ -24,6 +24,20 @@ const whoIs = me => {
  return me._id;
 };
 
+const validClusterAuth = async (me, queryName, context) => {
+ const { models } = context;
+ // Users that pass in razee-org-key. ex: ClusterSubscription or curl requests
+ if(me && me.type == 'cluster'){
+ const result = await models.User.isValidOrgKey(models, me);
+ if(!result){
+ throw new ForbiddenError(
+ `Invalid razee-org-key was submitted for ${queryName}`,
+ );
+ }
+ return;
+ }
+}; 
+
 // Validate is user is authorized for the requested action.
 // Throw exception if not.
 const validAuth = async (me, org_id, action, type, queryName, context) => {
@@ -40,17 +54,6 @@ const validAuth = async (me, org_id, action, type, queryName, context) => {
  return;
  }
 
- // Users that pass in razee-org-key. ex: ClusterSubscription or curl requests
- if(me && me.type == 'cluster'){
- const result = await models.User.isValidOrgKey(models, me);
- if(!result){
- throw new ForbiddenError(
- `You are not allowed to ${action} on ${type} for the query ${queryName}. (using razee-org-key)`,
- );
- }
- return;
- }
-
  if (me === null || !(await models.User.isAuthorized(me, org_id, action, type, null, context))) {
  logger.error({req_id, me: whoIs(me), org_id, action, type}, `ForbiddenError - ${queryName}`);
  throw new ForbiddenError(
@@ -67,4 +70,4 @@ class NotFoundError extends ApolloError {
  }
 }
 
-module.exports = { whoIs, validAuth, NotFoundError };
+module.exports = { whoIs, validAuth, NotFoundError, validClusterAuth };
diff --git a/app/apollo/resolvers/organization.js b/app/apollo/resolvers/organization.js
@@ -41,7 +41,6 @@ const organizationResolvers = {
  const queryName = 'organization';
  const { models, me, req_id, logger } = context;
  logger.debug({req_id, args, me: whoIs(me) }, `${queryName} enter`);
- await validAuth(me, null, ACTIONS.MANAGE, TYPES.ORGANIZATION, queryName, context);
  return models.User.getOrg(models, me);
  },
  },

diff --git a/app/apollo/resolvers/subscription.js b/app/apollo/resolvers/subscription.js
@@ -19,7 +19,7 @@ const { v4: UUID } = require('uuid');
 const { withFilter } = require('apollo-server');
 const { ForbiddenError } = require('apollo-server');
 const { ACTIONS, TYPES } = require('../models/const');
-const { whoIs, validAuth, NotFoundError } = require ('./common');
+const { whoIs, validAuth, NotFoundError, validClusterAuth } = require ('./common');
 const getSubscriptionUrls = require('../../utils/subscriptions.js').getSubscriptionUrls;
 const tagsStrToArr = require('../../utils/subscriptions.js').tagsStrToArr;
 const { EVENTS, GraphqlPubSub, getStreamingTopic } = require('../subscription');
@@ -32,7 +32,7 @@ const subscriptionResolvers = {
  const { req_id, me, models, logger } = context;
  const query = 'subscriptionsByTag';
  logger.debug({req_id, user: whoIs(me)}, `${query} enter`);
- await validAuth(me, null, ACTIONS.READ, TYPES.SUBSCRIPTION, query, context);
+ await validClusterAuth(me, query, context);
 
  const org = await models.User.getOrg(models, me);
  if(!org) {