Refacto on all CNXID replacements in myaccess & consequences

This commit is contained in:
STEINNI
2026-06-26 18:42:59 +00:00
parent 155692f71d
commit a868caf8c9
4 changed files with 37 additions and 22 deletions
+23 -12
View File
@@ -10,31 +10,42 @@ export class AccesRights {
this.rights = config.accessRights this.rights = config.accessRights
} }
mustSubscribe(uid, roles) { expandPattern(pattern, uid, cnxId=null) {
if(/\[CNXID\]/.test(pattern) && !cnxId) return(null)
let item = pattern.replace(/\[UID\]/g, uid)
if(cnxId) item = item.replace(/\[CNXID\]/g, cnxId)
return(item)
}
expandPatterns(patterns, uid, cnxId=null) {
return(patterns.map(item => this.expandPattern(item, uid, cnxId)).filter(item => item != null))
}
mustSubscribe(uid, roles, cnxId=null) {
if(roles.indexOf('*')<0) roles.push('*') if(roles.indexOf('*')<0) roles.push('*')
let chans = [] let chans = []
for(let myRole of roles){ for(let myRole of roles){
for(let rightBlock of this.rights) { for(let rightBlock of this.rights) {
if(!rightBlock.mustSubscribe) continue if(!rightBlock.mustSubscribe) continue
if((rightBlock.roles=='*') || (rightBlock.roles.indexOf(myRole)>-1)) { if((rightBlock.roles=='*') || (rightBlock.roles.indexOf(myRole)>-1)) {
chans = this.merge(chans, rightBlock.mustSubscribe.map(item=>item.replace(/\[UID\]/g,uid))) chans = this.merge(chans, this.expandPatterns(rightBlock.mustSubscribe, uid, cnxId))
} }
} }
} }
return(chans) return(chans)
} }
isMandatory(uid, roles, chan){ isMandatory(uid, roles, chan, cnxId=null){
return(this.mustSubscribe(uid, roles).filter(this.chanMatch.bind(this, chan)).length>0) return(this.mustSubscribe(uid, roles, cnxId).filter(this.chanMatch.bind(this, chan)).length>0)
} }
canSubscribe(uid, roles, myChan) { canSubscribe(uid, roles, myChan, cnxId=null) {
if(roles.indexOf('*')<0) roles.push('*') if(roles.indexOf('*')<0) roles.push('*')
for(let myRole of roles){ for(let myRole of roles){
for(let rightBlock of this.rights) { for(let rightBlock of this.rights) {
if(!rightBlock.canSubscribe) continue if(!rightBlock.canSubscribe) continue
if((rightBlock.roles=='*') || (rightBlock.roles.indexOf(myRole)>-1)) { if((rightBlock.roles=='*') || (rightBlock.roles.indexOf(myRole)>-1)) {
let canSubList = rightBlock.canSubscribe.map(item=>item.replace(/\[UID\]/g, uid)) let canSubList = this.expandPatterns(rightBlock.canSubscribe, uid, cnxId)
if(canSubList.find(this.chanMatch.bind(this, myChan))) return(true) if(canSubList.find(this.chanMatch.bind(this, myChan))) return(true)
} }
} }
@@ -43,13 +54,13 @@ export class AccesRights {
return(false) return(false)
} }
canPublish(uid, roles, myChan) { canPublish(uid, roles, myChan, cnxId=null) {
if(roles.indexOf('*')<0) roles.push('*') if(roles.indexOf('*')<0) roles.push('*')
for(let myRole of roles){ for(let myRole of roles){
for(let rightBlock of this.rights) { for(let rightBlock of this.rights) {
if(!rightBlock.canPublish) continue if(!rightBlock.canPublish) continue
if((rightBlock.roles=='*') || (rightBlock.roles.indexOf(myRole)>-1)) { if((rightBlock.roles=='*') || (rightBlock.roles.indexOf(myRole)>-1)) {
let canPubList = rightBlock.canPublish.map(item=>item.replace(/\[UID\]/g, uid)) let canPubList = this.expandPatterns(rightBlock.canPublish, uid, cnxId)
if(canPubList.find(this.chanMatch.bind(this, myChan))) return(true) if(canPubList.find(this.chanMatch.bind(this, myChan))) return(true)
} }
} }
@@ -58,13 +69,13 @@ export class AccesRights {
return(false) return(false)
} }
canSet(uid, roles, myKey){ canSet(uid, roles, myKey, cnxId=null){
if(roles.indexOf('*')<0) roles.push('*') if(roles.indexOf('*')<0) roles.push('*')
for(let myRole of roles){ for(let myRole of roles){
for(let rightBlock of this.rights) { for(let rightBlock of this.rights) {
if(!rightBlock.canSet) continue if(!rightBlock.canSet) continue
if((rightBlock.roles=='*') || (rightBlock.roles.indexOf(myRole)>-1)) { if((rightBlock.roles=='*') || (rightBlock.roles.indexOf(myRole)>-1)) {
let canSetList = rightBlock.canSet.map(item=>item.replace(/\[UID\]/g, uid)) let canSetList = this.expandPatterns(rightBlock.canSet, uid, cnxId)
if(canSetList.find(this.chanMatch.bind(this, myKey))) return(true) if(canSetList.find(this.chanMatch.bind(this, myKey))) return(true)
} }
} }
@@ -73,13 +84,13 @@ export class AccesRights {
return(false) return(false)
} }
canGet(uid, roles, myKey){ canGet(uid, roles, myKey, cnxId=null){
if(roles.indexOf('*')<0) roles.push('*') if(roles.indexOf('*')<0) roles.push('*')
for(let myRole of roles){ for(let myRole of roles){
for(let rightBlock of this.rights) { for(let rightBlock of this.rights) {
if(!rightBlock.canGet) continue if(!rightBlock.canGet) continue
if((rightBlock.roles=='*') || (rightBlock.roles.indexOf(myRole)>-1)) { if((rightBlock.roles=='*') || (rightBlock.roles.indexOf(myRole)>-1)) {
let canGetList = rightBlock.canGet.map(item=>item.replace(/\[UID\]/g, uid)) let canGetList = this.expandPatterns(rightBlock.canGet, uid, cnxId)
if(canGetList.find(this.chanMatch.bind(this, myKey))) return(true) if(canGetList.find(this.chanMatch.bind(this, myKey))) return(true)
} }
} }
+11 -7
View File
@@ -21,7 +21,8 @@ export const methods = {
for(var chan of payload){ for(var chan of payload){
if((!chan) || (typeof(chan)!='string')) continue if((!chan) || (typeof(chan)!='string')) continue
chan = chan.replace(/\[UID\]/g, this.userId) chan = chan.replace(/\[UID\]/g, this.userId)
if(!this.accessRights.canSubscribe(this.userId, this.roles, chan)) { chan = chan.replace(/\[CNXID\]/g, this.uuid)
if(!this.accessRights.canSubscribe(this.userId, this.roles, chan, this.uuid)) {
if(this.debug) console.log('SUB: No rights to this chan!', this.userId, this.roles, chan) if(this.debug) console.log('SUB: No rights to this chan!', this.userId, this.roles, chan)
continue continue
} }
@@ -73,8 +74,9 @@ export const methods = {
let unSubscribed = [] let unSubscribed = []
for(var chan of payload){ for(var chan of payload){
if((!chan) || (typeof(chan)!='string')) continue if((!chan) || (typeof(chan)!='string')) continue
chan = chan.replace(/\[UID\]/g, this.userId) chan = chan.replace(/\[UID\]/g, this.userId)
if(this.accessRights.isMandatory(this.userId, this.roles, chan)) continue chan = chan.replace(/\[CNXID\]/g, this.uuid)
if(this.accessRights.isMandatory(this.userId, this.roles, chan, this.uuid)) continue
let couldUnsubscribe = false let couldUnsubscribe = false
for(const rediscnx of this.allRediscnx){ for(const rediscnx of this.allRediscnx){
@@ -148,7 +150,7 @@ export const methods = {
return; return;
}; };
if( (!this.accessRights.canPublish(this.userId, this.roles, payload.chan)) ) { if( (!this.accessRights.canPublish(this.userId, this.roles, payload.chan, this.uuid)) ) {
this.sendErr(action, 'Unauthorized chan !', reqid); this.sendErr(action, 'Unauthorized chan !', reqid);
if(this.debug) console.log('PUB: Unauthorized chan', payload.chan, this.userId, this.roles) if(this.debug) console.log('PUB: Unauthorized chan', payload.chan, this.userId, this.roles)
return return
@@ -228,15 +230,17 @@ export const methods = {
return return
} }
if( (!this.accessRights.canSubscribe(this.userId, this.roles, payload.channel)) ) { payload.channel = payload.channel.replace(/\[UID\]/g, this.userId)
.replace(/\[CNXID\]/g, this.uuid)
if( (!this.accessRights.canSubscribe(this.userId, this.roles, payload.channel, this.uuid)) ) {
this.sendErr(action, 'CHANHIST: Unauthorized channel !', reqid) this.sendErr(action, 'CHANHIST: Unauthorized channel !', reqid)
return return
} }
const primaryRediscnx = this.allRediscnx.find(cnx => ((chan.startsWith(cnx.redisConfig.chansNamespace)) &&(cnx.redisConfig.role=='primary')) ) const primaryRediscnx = this.allRediscnx.find(cnx => ((payload.channel.startsWith(cnx.redisConfig.chansNamespace)) &&(cnx.redisConfig.role=='primary')) )
if(!primaryRediscnx){ if(!primaryRediscnx){
this.sendErr(action, 'No primary redis for this chan !', reqid); this.sendErr(action, 'No primary redis for this chan !', reqid);
if(this.debug) console.log('CHANHIST: No primary redis for this chan ', chan) if(this.debug) console.log('CHANHIST: No primary redis for this chan ', payload.channel)
return return
} }
+2 -2
View File
@@ -30,7 +30,7 @@ export const methods = {
return return
} }
if(!this.accessRights.canSet(this.userId, this.roles, payload.key)){ if(!this.accessRights.canSet(this.userId, this.roles, payload.key, this.uuid)){
this.sendErr(action, 'Unauthorized key !', reqid); this.sendErr(action, 'Unauthorized key !', reqid);
return return
} }
@@ -92,7 +92,7 @@ export const methods = {
return; return;
}; };
if(!this.accessRights.canGet(this.userId, this.roles, payload.key)) { if(!this.accessRights.canGet(this.userId, this.roles, payload.key, this.uuid)) {
console.log('Unauth GET key:',this.userId, this.roles, payload.key) console.log('Unauth GET key:',this.userId, this.roles, payload.key)
this.sendErr(action, 'Unauthorized key !', reqid); this.sendErr(action, 'Unauthorized key !', reqid);
return return
+1 -1
View File
@@ -104,7 +104,7 @@ export class WssConnexion {
} }
subscribeMandatoryChans(){ subscribeMandatoryChans(){
let mandaChans = this.accessRights.mustSubscribe(this.userId, this.roles) let mandaChans = this.accessRights.mustSubscribe(this.userId, this.roles, this.uuid)
for(let rediscnx of this.allRediscnx){ for(let rediscnx of this.allRediscnx){
mandaChans = mandaChans.filter(chan => chan.startsWith(rediscnx.redisConfig.chansNamespace)) mandaChans = mandaChans.filter(chan => chan.startsWith(rediscnx.redisConfig.chansNamespace))
mandaChans = mandaChans.map(item=>rediscnx.redisConfig.basePrefix+item) mandaChans = mandaChans.map(item=>rediscnx.redisConfig.basePrefix+item)