added siteMinder authn strategy

bcgov · Oct 2, 2023 · 2fb9eb2 · 2fb9eb2
1 parent fde9590
commit 2fb9eb2
Show file tree

Hide file tree

Showing 8 changed files with 73 additions and 7 deletions.
diff --git a/notify-bc-lb/src/authn-strategies/siteminder-authentication.strategy.ts b/notify-bc-lb/src/authn-strategies/siteminder-authentication.strategy.ts
@@ -12,10 +12,11 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+// file ported
 import {AuthenticationStrategy} from '@loopback/authentication';
 import {inject} from '@loopback/core';
 import {MiddlewareContext, Request, RestBindings} from '@loopback/rest';
-import {securityId, UserProfile} from '@loopback/security';
+import {UserProfile, securityId} from '@loopback/security';
 import {ConfigurationRepository} from '../repositories';
 
 export class SiteMinderAuthenticationStrategy

diff --git a/notify-bc-lb/src/repositories/baseCrudRepository.ts b/notify-bc-lb/src/repositories/baseCrudRepository.ts
@@ -109,6 +109,7 @@ export class BaseCrudRepository<
     }
     // internal requests
     if (!httpCtx) return null;
+    // start: ported
     const request = httpCtx.req || httpCtx.request;
     if (!request) return null;
     const currUser =
@@ -131,6 +132,7 @@ export class BaseCrudRepository<
       return ipRangeCheck(realIp, e);
     });
     return isFromSM ? currUser : null;
+    // end: ported
   }
 
   // start: ported

diff --git a/src/api/subscriptions/subscriptions.controller.ts b/src/api/subscriptions/subscriptions.controller.ts
@@ -1,9 +1,19 @@
-import { Controller, Get, Post, Body, Patch, Param, Delete } from '@nestjs/common';
-import { SubscriptionsService } from './subscriptions.service';
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Param,
+  Patch,
+  Post,
+} from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
 import { CreateSubscriptionDto } from './dto/create-subscription.dto';
 import { UpdateSubscriptionDto } from './dto/update-subscription.dto';
+import { SubscriptionsService } from './subscriptions.service';
 
 @Controller('subscriptions')
+@ApiTags('subscription')
 export class SubscriptionsController {
   constructor(private readonly subscriptionsService: SubscriptionsService) {}
 
@@ -23,7 +33,10 @@ export class SubscriptionsController {
   }
 
   @Patch(':id')
-  update(@Param('id') id: string, @Body() updateSubscriptionDto: UpdateSubscriptionDto) {
+  update(
+    @Param('id') id: string,
+    @Body() updateSubscriptionDto: UpdateSubscriptionDto,
+  ) {
     return this.subscriptionsService.update(+id, updateSubscriptionDto);
   }
 

diff --git a/src/auth/access-token-authn-strategy.middleware.ts b/src/auth/access-token-authn-strategy.middleware.ts
@@ -3,12 +3,14 @@ import { Request } from 'express';
 import { AccessTokenService } from 'src/api/administrators/access-token.service';
 import { AdminUserProfile } from 'src/api/administrators/constants';
 import { AuthnStrategy, Role } from './constants';
+import { UserProfile } from './dto/user-profile.dto';
 
 @Injectable()
 export class AccessTokenAuthnStrategyMiddleware implements NestMiddleware {
   constructor(private readonly accessTokenService: AccessTokenService) {}
 
-  use(req: any, res: any, next: () => void) {
+  use(req: Request & { user: UserProfile }, res: any, next: () => void) {
+    if (req.user) return next();
     const token: string = this.extractCredentials(req);
     this.accessTokenService.verifyToken(token).then(
       (userProfile: AdminUserProfile) => {

diff --git a/src/auth/auth.module.ts b/src/auth/auth.module.ts
@@ -4,6 +4,7 @@ import { AdministratorsModule } from 'src/api/administrators/administrators.modu
 import { AccessTokenAuthnStrategyMiddleware } from './access-token-authn-strategy.middleware';
 import { IpAuthnStrategyMiddleware } from './ip-authn-strategy.middleware';
 import { RolesGuard } from './roles.guard';
+import { SiteminderAuthnStrategyMiddleware } from './siteminder-authn-strategy.middleware';
 
 @Module({
   imports: [AdministratorsModule],
@@ -17,7 +18,11 @@ import { RolesGuard } from './roles.guard';
 export class AuthModule implements NestModule {
   configure(consumer: MiddlewareConsumer) {
     consumer
-      .apply(AccessTokenAuthnStrategyMiddleware, IpAuthnStrategyMiddleware)
+      .apply(
+        AccessTokenAuthnStrategyMiddleware,
+        SiteminderAuthnStrategyMiddleware,
+        IpAuthnStrategyMiddleware,
+      )
       .forRoutes('*');
   }
 }
diff --git a/src/auth/constants.ts b/src/auth/constants.ts
@@ -12,6 +12,7 @@ export enum Role {
 export enum AuthnStrategy {
   Ip = 'Ip',
   AccessToken = 'accessToken',
+  SiteMinder = 'siteMinder',
 }
 
 export const ROLES_KEY = 'roles';
diff --git a/src/auth/ip-authn-strategy.middleware.ts b/src/auth/ip-authn-strategy.middleware.ts
@@ -1,13 +1,15 @@
 import { Injectable, NestMiddleware } from '@nestjs/common';
+import { Request } from 'express';
 import ipRangeCheck from 'ip-range-check';
 import { AppConfigService } from 'src/config/app-config.service';
 import { AuthnStrategy, Role } from './constants';
+import { UserProfile } from './dto/user-profile.dto';
 
 @Injectable()
 export class IpAuthnStrategyMiddleware implements NestMiddleware {
   constructor(private readonly appConfigService: AppConfigService) {}
 
-  use(req: any, res: any, next: () => void) {
+  use(req: Request & { user: UserProfile }, res: any, next: () => void) {
     const adminIps: [] =
       this.appConfigService.get('adminIps') ||
       this.appConfigService.get('defaultAdminIps');

diff --git a/src/auth/siteminder-authn-strategy.middleware.ts b/src/auth/siteminder-authn-strategy.middleware.ts
@@ -0,0 +1,40 @@
+import { Injectable, NestMiddleware } from '@nestjs/common';
+import { Request } from 'express';
+import ipRangeCheck from 'ip-range-check';
+import { AppConfigService } from 'src/config/app-config.service';
+import { AuthnStrategy, Role } from './constants';
+import { UserProfile } from './dto/user-profile.dto';
+@Injectable()
+export class SiteminderAuthnStrategyMiddleware implements NestMiddleware {
+  constructor(private readonly appConfigService: AppConfigService) {}
+
+  use(req: Request & { user: UserProfile }, res: any, next: () => void) {
+    if (req.user) return next();
+    const currUser =
+      req.get('SM_UNIVERSALID') ||
+      req.get('sm_user') ||
+      req.get('smgov_userdisplayname');
+    if (!currUser) {
+      return next();
+    }
+    const siteMinderReverseProxyIps = this.appConfigService.get(
+      'siteMinderReverseProxyIps',
+    );
+    if (!siteMinderReverseProxyIps || siteMinderReverseProxyIps.length <= 0) {
+      return next();
+    }
+    // rely on express 'trust proxy' settings to obtain real ip
+    const realIp = req.ip;
+    const isFromSM = siteMinderReverseProxyIps.some(function (e: string) {
+      return ipRangeCheck(realIp, e);
+    });
+    if (isFromSM) {
+      req.user = {
+        securityId: currUser,
+        authnStrategy: AuthnStrategy.SiteMinder,
+        role: Role.AuthenticatedUser,
+      };
+    }
+    return next();
+  }
+}