Refactoring of existing PEP Proxy code to support multiple PDP endpoints. In addition to the simple Keyrock PDP and Authzforce, the following are now supported:
A XACML JSON endpoint featuring decisions on payload attributes (similar to Authzforce)
The codebase has been modernized and restructured to use promises using got eliminating the need for callbacks and the cyclometric complexity reduced. The PEP Proxy token is no longer a global variable within the IDM class, but has been moved to express properties, similarly the user info has been placed under req.user as is common practice within Express applications.
Code coverage has been increased to around 85% by splitting www and app.js into accessible endpoints.
Test Dependency on MySQL has been removed and replaced with nock
All code has been prettified and annotated with comments
Additional ENV variables to support additional PDPs added and documented.
There is also a small bug fix related to IP6 support in the getClientIp() function and a standardization of the error message payload.
Types of changes
What types of changes does your code introduce to the project: Put an x in the boxes that apply
[x] Bugfix (non-breaking change which fixes an issue)
[x] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
Checklist
Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of
them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before
merging your code.
[x] I have added tests that prove my fix is effective or that my feature works
[x] I have added necessary documentation (if appropriate)
[x] Any dependent changes have been merged and published in downstream modules
Further comments
The selection of got means that all HTTP calls are made using a well supported library - it is much more popular than the old xmlhttprequest, and removes the need for custom code. Similarly the previous caching mechanism was inefficient and just and in memory object. Similarly the splitting out of authorization and access functions makes the code much easier to read, with functions like access.permit() and access.deny()
/**
* Authenticate the user token via Keyrock and then authorize the action if necessry.
*
* @param req - the incoming request
* @param res - the response to return
* @param tokens - a collection of auth tokens to use for this verification
*/
async function validateAccessIDM(req, res, tokens) {
const tenant_header = config.authorization.header ? req.get(config.authorization.header) : undefined;
try {
req.user = await IDM.authenticateUser(tokens, req.method, req.path, tenant_header);
setHeaders(req);
if (config.authorization.enabled) {
return PDP.authorize(req, res, tokens.authToken);
} else {
// Authentication only.
return access.permit(req, res);
}
} catch (e) {
debug(e);
if (e.status === 404 || e.status === 401) {
return access.deny(res);
} else {
return access.internalError(res, e, 'IDM');
}
}
}
Proposed changes
Refactoring of existing PEP Proxy code to support multiple PDP endpoints. In addition to the simple Keyrock PDP and Authzforce, the following are now supported:
{allow="true"}
policySets
.The codebase has been modernized and restructured to use promises using got eliminating the need for callbacks and the cyclometric complexity reduced. The PEP Proxy token is no longer a global variable within the IDM class, but has been moved to express properties, similarly the user info has been placed under
req.user
as is common practice within Express applications.www
andapp.js
into accessible endpoints.There is also a small bug fix related to IP6 support in the
getClientIp()
function and a standardization of the error message payload.Types of changes
What types of changes does your code introduce to the project: Put an
x
in the boxes that applyChecklist
Put an
x
in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.Further comments
The selection of
got
means that all HTTP calls are made using a well supported library - it is much more popular than the oldxmlhttprequest
, and removes the need for custom code. Similarly the previous caching mechanism was inefficient and just and in memory object. Similarly the splitting out of authorization and access functions makes the code much easier to read, with functions likeaccess.permit()
andaccess.deny()