From a868caf8c93ccda9dafb7ac1df91ae6d2d11ed4d Mon Sep 17 00:00:00 2001 From: STEINNI Date: Fri, 26 Jun 2026 18:42:59 +0000 Subject: [PATCH] Refacto on all CNXID replacements in myaccess & consequences --- accesRights.js | 35 +++++++++++++++++++++++------------ actions/pubSub.js | 18 +++++++++++------- actions/store.js | 4 ++-- wssConnexion.js | 2 +- 4 files changed, 37 insertions(+), 22 deletions(-) diff --git a/accesRights.js b/accesRights.js index ea0df40..f111127 100644 --- a/accesRights.js +++ b/accesRights.js @@ -10,31 +10,42 @@ export class AccesRights { this.rights = config.accessRights } - mustSubscribe(uid, roles) { + expandPattern(pattern, uid, cnxId=null) { + if(/\[CNXID\]/.test(pattern) && !cnxId) return(null) + let item = pattern.replace(/\[UID\]/g, uid) + if(cnxId) item = item.replace(/\[CNXID\]/g, cnxId) + return(item) + } + + expandPatterns(patterns, uid, cnxId=null) { + return(patterns.map(item => this.expandPattern(item, uid, cnxId)).filter(item => item != null)) + } + + mustSubscribe(uid, roles, cnxId=null) { if(roles.indexOf('*')<0) roles.push('*') let chans = [] for(let myRole of roles){ for(let rightBlock of this.rights) { if(!rightBlock.mustSubscribe) continue if((rightBlock.roles=='*') || (rightBlock.roles.indexOf(myRole)>-1)) { - chans = this.merge(chans, rightBlock.mustSubscribe.map(item=>item.replace(/\[UID\]/g,uid))) + chans = this.merge(chans, this.expandPatterns(rightBlock.mustSubscribe, uid, cnxId)) } } } return(chans) } - isMandatory(uid, roles, chan){ - return(this.mustSubscribe(uid, roles).filter(this.chanMatch.bind(this, chan)).length>0) + isMandatory(uid, roles, chan, cnxId=null){ + return(this.mustSubscribe(uid, roles, cnxId).filter(this.chanMatch.bind(this, chan)).length>0) } - canSubscribe(uid, roles, myChan) { + canSubscribe(uid, roles, myChan, cnxId=null) { if(roles.indexOf('*')<0) roles.push('*') for(let myRole of roles){ for(let rightBlock of this.rights) { if(!rightBlock.canSubscribe) continue if((rightBlock.roles=='*') || (rightBlock.roles.indexOf(myRole)>-1)) { - let canSubList = rightBlock.canSubscribe.map(item=>item.replace(/\[UID\]/g, uid)) + let canSubList = this.expandPatterns(rightBlock.canSubscribe, uid, cnxId) if(canSubList.find(this.chanMatch.bind(this, myChan))) return(true) } } @@ -43,13 +54,13 @@ export class AccesRights { return(false) } - canPublish(uid, roles, myChan) { + canPublish(uid, roles, myChan, cnxId=null) { if(roles.indexOf('*')<0) roles.push('*') for(let myRole of roles){ for(let rightBlock of this.rights) { if(!rightBlock.canPublish) continue if((rightBlock.roles=='*') || (rightBlock.roles.indexOf(myRole)>-1)) { - let canPubList = rightBlock.canPublish.map(item=>item.replace(/\[UID\]/g, uid)) + let canPubList = this.expandPatterns(rightBlock.canPublish, uid, cnxId) if(canPubList.find(this.chanMatch.bind(this, myChan))) return(true) } } @@ -58,13 +69,13 @@ export class AccesRights { return(false) } - canSet(uid, roles, myKey){ + canSet(uid, roles, myKey, cnxId=null){ if(roles.indexOf('*')<0) roles.push('*') for(let myRole of roles){ for(let rightBlock of this.rights) { if(!rightBlock.canSet) continue if((rightBlock.roles=='*') || (rightBlock.roles.indexOf(myRole)>-1)) { - let canSetList = rightBlock.canSet.map(item=>item.replace(/\[UID\]/g, uid)) + let canSetList = this.expandPatterns(rightBlock.canSet, uid, cnxId) if(canSetList.find(this.chanMatch.bind(this, myKey))) return(true) } } @@ -73,13 +84,13 @@ export class AccesRights { return(false) } - canGet(uid, roles, myKey){ + canGet(uid, roles, myKey, cnxId=null){ if(roles.indexOf('*')<0) roles.push('*') for(let myRole of roles){ for(let rightBlock of this.rights) { if(!rightBlock.canGet) continue if((rightBlock.roles=='*') || (rightBlock.roles.indexOf(myRole)>-1)) { - let canGetList = rightBlock.canGet.map(item=>item.replace(/\[UID\]/g, uid)) + let canGetList = this.expandPatterns(rightBlock.canGet, uid, cnxId) if(canGetList.find(this.chanMatch.bind(this, myKey))) return(true) } } diff --git a/actions/pubSub.js b/actions/pubSub.js index bba1e96..53ee4cd 100644 --- a/actions/pubSub.js +++ b/actions/pubSub.js @@ -21,7 +21,8 @@ export const methods = { for(var chan of payload){ if((!chan) || (typeof(chan)!='string')) continue chan = chan.replace(/\[UID\]/g, this.userId) - if(!this.accessRights.canSubscribe(this.userId, this.roles, chan)) { + chan = chan.replace(/\[CNXID\]/g, this.uuid) + if(!this.accessRights.canSubscribe(this.userId, this.roles, chan, this.uuid)) { if(this.debug) console.log('SUB: No rights to this chan!', this.userId, this.roles, chan) continue } @@ -73,8 +74,9 @@ export const methods = { let unSubscribed = [] for(var chan of payload){ if((!chan) || (typeof(chan)!='string')) continue - chan = chan.replace(/\[UID\]/g, this.userId) - if(this.accessRights.isMandatory(this.userId, this.roles, chan)) continue + chan = chan.replace(/\[UID\]/g, this.userId) + chan = chan.replace(/\[CNXID\]/g, this.uuid) + if(this.accessRights.isMandatory(this.userId, this.roles, chan, this.uuid)) continue let couldUnsubscribe = false for(const rediscnx of this.allRediscnx){ @@ -148,7 +150,7 @@ export const methods = { return; }; - if( (!this.accessRights.canPublish(this.userId, this.roles, payload.chan)) ) { + if( (!this.accessRights.canPublish(this.userId, this.roles, payload.chan, this.uuid)) ) { this.sendErr(action, 'Unauthorized chan !', reqid); if(this.debug) console.log('PUB: Unauthorized chan', payload.chan, this.userId, this.roles) return @@ -228,15 +230,17 @@ export const methods = { return } - if( (!this.accessRights.canSubscribe(this.userId, this.roles, payload.channel)) ) { + payload.channel = payload.channel.replace(/\[UID\]/g, this.userId) + .replace(/\[CNXID\]/g, this.uuid) + if( (!this.accessRights.canSubscribe(this.userId, this.roles, payload.channel, this.uuid)) ) { this.sendErr(action, 'CHANHIST: Unauthorized channel !', reqid) return } - const primaryRediscnx = this.allRediscnx.find(cnx => ((chan.startsWith(cnx.redisConfig.chansNamespace)) &&(cnx.redisConfig.role=='primary')) ) + const primaryRediscnx = this.allRediscnx.find(cnx => ((payload.channel.startsWith(cnx.redisConfig.chansNamespace)) &&(cnx.redisConfig.role=='primary')) ) if(!primaryRediscnx){ this.sendErr(action, 'No primary redis for this chan !', reqid); - if(this.debug) console.log('CHANHIST: No primary redis for this chan ', chan) + if(this.debug) console.log('CHANHIST: No primary redis for this chan ', payload.channel) return } diff --git a/actions/store.js b/actions/store.js index e533206..8ff709c 100644 --- a/actions/store.js +++ b/actions/store.js @@ -30,7 +30,7 @@ export const methods = { return } - if(!this.accessRights.canSet(this.userId, this.roles, payload.key)){ + if(!this.accessRights.canSet(this.userId, this.roles, payload.key, this.uuid)){ this.sendErr(action, 'Unauthorized key !', reqid); return } @@ -92,7 +92,7 @@ export const methods = { return; }; - if(!this.accessRights.canGet(this.userId, this.roles, payload.key)) { + if(!this.accessRights.canGet(this.userId, this.roles, payload.key, this.uuid)) { console.log('Unauth GET key:',this.userId, this.roles, payload.key) this.sendErr(action, 'Unauthorized key !', reqid); return diff --git a/wssConnexion.js b/wssConnexion.js index 3a68ec9..076e260 100644 --- a/wssConnexion.js +++ b/wssConnexion.js @@ -104,7 +104,7 @@ export class WssConnexion { } subscribeMandatoryChans(){ - let mandaChans = this.accessRights.mustSubscribe(this.userId, this.roles) + let mandaChans = this.accessRights.mustSubscribe(this.userId, this.roles, this.uuid) for(let rediscnx of this.allRediscnx){ mandaChans = mandaChans.filter(chan => chan.startsWith(rediscnx.redisConfig.chansNamespace)) mandaChans = mandaChans.map(item=>rediscnx.redisConfig.basePrefix+item)