Refactoring to support multiple PDP endpoints.

[jason-fox]

Proposed changes

Refactoring of existing PEP Proxy code to support multiple PDP endpoints. In addition to the simple Keyrock PDP and Authzforce, the following are now supported:

• A XACML JSON endpoint featuring decisions on payload attributes (similar to Authzforce)
• A generic OpenPolicyAgent {allow="true"}
• A basic iSHARE application of simple policySets.

The codebase has been modernized and restructured to use promises using got eliminating the need for callbacks and the cyclometric complexity reduced. The PEP Proxy token is no longer a global variable within the IDM class, but has been moved to express properties, similarly the user info has been placed under req.user as is common practice within Express applications.

• Code coverage has been increased to around 85% by splitting www and app.js into accessible endpoints.
• Test Dependency on MySQL has been removed and replaced with nock
• In memory cache now uses node-cache
• All code has been prettified and annotated with comments
• Additional ENV variables to support additional PDPs added and documented.

There is also a small bug fix related to IP6 support in the getClientIp() function and a standardization of the error message payload.

Types of changes

What types of changes does your code introduce to the project: Put an x in the boxes that apply

• [x] Bugfix (non-breaking change which fixes an issue)
• [x] New feature (non-breaking change which adds functionality)
• [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

• [x] I have read the CONTRIBUTING doc
• [x] I have signed the CLA
• [x] I have added tests that prove my fix is effective or that my feature works
• [x] I have added necessary documentation (if appropriate)
• [x] Any dependent changes have been merged and published in downstream modules

Further comments

The selection of got means that all HTTP calls are made using a well supported library - it is much more popular than the old xmlhttprequest, and removes the need for custom code. Similarly the previous caching mechanism was inefficient and just and in memory object. Similarly the splitting out of authorization and access functions makes the code much easier to read, with functions like access.permit() and access.deny()

/**
 * Authenticate the user token via Keyrock and then authorize the action if necessry.
 *
 * @param req - the incoming request
 * @param res - the response to return
 * @param tokens - a collection of auth tokens to use for this verification
 */
async function validateAccessIDM(req, res, tokens) {
  const tenant_header = config.authorization.header ? req.get(config.authorization.header) : undefined;

  try {
    req.user = await IDM.authenticateUser(tokens, req.method, req.path, tenant_header);
    setHeaders(req);
    if (config.authorization.enabled) {
      return PDP.authorize(req, res, tokens.authToken);
    } else {
      //  Authentication only.
      return access.permit(req, res);
    }
  } catch (e) {
    debug(e);
    if (e.status === 404 || e.status === 401) {
      return access.deny(res);
    } else {
      return access.internalError(res, e, 'IDM');
    }
  }
}

[github-actions[bot]]

CLA Assistant Lite bot All contributors have signed the CLA ✍️

[jason-fox]

see: https://coveralls.io/builds/42198636