condor-auth
v0.1.1
Published
Condor Authorization Middleware
Downloads
4
Readme
condor-auth
An authorization Middleware for Condor. Condor is a GRPC Framework for node.
This module control access to GRPC methods, based on the access rules defined.
It has been thought to work with JWTs, but you can plug in any other strategy.
Installation
npm i --save condor-framework condor-auth
How to use
By default, this module is designed to work with JWts and role-based authorization. Anyways, it's flexible enough to allow any other authorization strategy.
Role-based authorization
Two steps are needed for role-based authorization to work:
- 1. Map the roles: Define how to obtain the roles from the token (or from anywhere else).
- 2. Configure access rules: Define the roles required to access each of the GRPC methods.
Resource-based authorization
For resource based authorization, you can skip step one, and just use custom validators when defining the access rules.
1. Mapping Roles
By default, condor-auth expects a valid JWT token in the authorization
metadata. It will verify it, and convert it to an object you can easily use.
Then, you need to define how to map the information in the token to the roles the user has.
Let's say for example, that the user has the admin
role in my-grpc-application
, and the user
roles in another-app
.
Here's an example on how you would instantiate condor-auth and map the permissions.
// index.js
const Condor = require('condor-framework');
const Auth = require('condor-auth').Auth;
const Greeter = require('./greeter');
// Options must contain any information required to verify the token (see documentation below)
const options = {
'applicationName': 'my-grpc-service',
'secretOrPublicKey': 'shhhhh',
};
const auth = new Auth((context, token) => {
// if 'authorization' metadata was received, is a valid token and could be verified
// using the received options, 'token' will contain a valid token object
console.log('token', token);
// do your magic here, to calculate the resources and roles the user has access to
// You can get the information from the token (or from anywhere).
// Then return an object with the information.
return {
'my-grpc-service': ['admin'],
'another-app': ['user', 'another-role'],
'realm': ['admin', 'user', 'yet-another-role'],
};
}, options);
// Then just initiate the server, and use the middleware
const app = new Condor()
.addService('./protos/greeter.proto', 'myapp.Greeter', new Greeter())
.use(auth.middleware)
.start();
As you can see, the mapping method must return an object. This object should be a map with the resource names as the keys, and an array of roles as the values.
2. Configuring Access Rules
After mapping the roles, you will need to define the rules to access each of the methods in your GRPC service.
By default, when no options are passed, it will try to read the access rules from access-rules.js
. This file is where you configure all the access rules for your application.
The rules file should export an object, with the full names of the services as keys, and an optional default
key which will be used for every method that is not defined in the file.
Rules Example
This example will show you the available options:
// access-rules.js
module.exports = {
'default': '$authenticated',
'myapp.Greeter': {
'sayHello': 'special',
'sayHelloOther': 'other-app:special',
'sayHelloRealm': 'realm:admin',
'sayHelloCustom': customValidation,
'sayHelloPublic': '$anonymous',
'sayHelloMultiple': ['special', 'realm:admin', customValidation],
},
};
function customValidation (context, token) => {
if (token.hasRole('myRole') && context.metadata.get('someKey')[0] === 'someValue') {
return true; // allow to continue
}
return false; // deny access
}
Using these rules, we're telling the application:
By default, for every method not defined in the file, the user must be authenticated (without taking into account any roles).
sayHello
requires the user to have thespecial
permission/role in this application. (applicationName
option must be set, to determine the name of this application)sayHelloOther
requires the user to have thespecial
permission/role in theother-app
resource.sayHelloRealm
requires the user to have theadmin
permission/role in therealm
resource.sayHelloCustom
access will be calculated by thecustomValidation
method.sayHelloPublic
will be public ($anonymous
)sayHelloMultiple
shows how you can pass not only one but an array of options to authorize the call. In this example, to authorize the method we are requiring any of these 3 conditions:- The user to have the
special
permission/role in this application - The user to have the
admin
permission/role in therealm
resource - The
customValidation
method to return true
- The user to have the
Rules Options
$anonynous and $authenticated
You can use $authenticated
to enforce a user to be authenticated before accessing the method (without verifying any roles). A user is considered authenticated when the token received in the metadata is valid.
On the other hand, you can use $anonymous
to make a resource public.
Role and Resource:Role
If it's a role in the current application, you can just use the permission/role name e.g. special
. For this to work, you must pass the applicationName
option when creating the Auth
instance.
If it's a permission or role of another application/resource, use the resource name and the role/permission name. e.g. another-app:special
.
Custom Validators
If you need some specific logic to authorize/deny access, just pass the function that must perform the validation (make sure to pass the actual function, not only the function name).
The validation function will be called with two parameters:
context
: The context being processed.token
: The decoded token if any, null otherwise.
The validation function must return a truthy value to allow access. Any falsy value will deny access.
Multiple options for a method
You can pass not only one option, but an array of options to authorize the call. If any of them pass, the call will be authorized.
How to require two roles? (use AND instead of OR)
The module is designed for the most common scenario, but we're sure there will be cases where your requirements will be different, in that case you can use custom validation functions that do exactly what you want. You can have for example something like this:
module.exports = {
'default': '$authenticated',
'myapp.Greeter': {
'sayHelloCustom': tokenHasAllRoles('special', 'admin'),
},
};
function tokenHasAllRoles() {
const roles = arguments;
return (context, token) => {
// Verify that the token has all the roles
return roles.every((role) => {
return token.payload.roles.contains(role);
});
};
}
Options
All values are optional. Their default values are:
| Option | Description | Default | |--------------------|--------------------------------------------------------------------------------------------------------|-----------------| | applicationName | The name of the application. To allow rules like 'my-role', instead of 'my-app:my-role') | | | rulesFile | The path to the rules file | access-rules.js | | rules | The access rules to use (can be used instead of rulesFile) | | | secretOrPublicKey | The key that should be used to verify a token | | | strategy | The strategy to use (if you don't want to use the default strategy) | |
Also, it will accept any options of the verify method of the jsonwebtoken module. Such options will be used to verify the token.
Strategies
Strategies allow you to customize:
- How the tokens are verified and decoded
- How the tokens are mapped to roles
Known strategies are:
- Default strategy: Bundled. It decodes and verifies JWTs using jsonwebtoken module. It doesn't provide a mapping method.
- condor-auth-keycloak. It verifies the token against keycloak, and map realm roles and resources roles automatically.
How to create your own strategy
You will to define the following methods:
- mapRoles(context, token): (Optional): This method receives the context, and token, and should return an object with the resource names as keys and an array of roles the user has, as values.
- decodeAndVerifyToken(context, options): (Optional): This method receives the context, and all the options passed in the
Auth
constructor. It should return the decoded token if valid, or null/undefined otherwise. Any thruthy value will be consider as a valid token, and the user will be considered to be authenticated. You can take a look at the DefaultStrategy to see an example of the implementation.
How to call from a client
The caller just need to include the authorization
metadata, with a valid JWT.
const grpc = require('grpc');
const jwt = require('jsonwebtoken');
const proto = grpc.load('./protos/greeter.proto');
const client = proto.myapp.Greeter('127.0.0.1:3000', grpc.credentials.createInsecure());
const myJWT = jwt.sign({ roles: 'myRole' }, 'shhhhh');
const data = {'name': 'Peter'};
const metadata = new grpc.Metadata();
metadata.set('authorization', myJWT);
client.sayHello(data, (err, result) => {
console.log('err', err);
console.log('result', result);
});
License and Credits
MIT License. Copyright 2017
Built by the GRPC experts at Devsu.