Adds support for read-only masterKey (#4297)

* Adds support for read-only masterKey * Adds tests to make sure all endpoints are properly protected * Updates readme * nits
2017-10-26 15:35:07 -04:00
parent 87b79cedfa
commit 1dd58b7527
13 changed files with 195 additions and 7 deletions
--- a/src/Auth.js
+++ b/src/Auth.js
@@ -4,11 +4,12 @@ var RestQuery = require('./RestQuery');
 // An Auth object tells you who is requesting something and whether
 // the master key was used.
 // userObject is a Parse.User and can be null if there's no user.
-function Auth({ config, isMaster = false, user, installationId } = {}) {
+function Auth({ config, isMaster = false, isReadOnly = false, user, installationId } = {}) {
  this.config = config;
  this.installationId = installationId;
  this.isMaster = isMaster;
  this.user = user;
+  this.isReadOnly = isReadOnly;

  // Assuming a users roles won't change during a single request, we'll
  // only load them once.
@@ -34,6 +35,11 @@ function master(config) {
  return new Auth({ config, isMaster: true });
 }

+// A helper to get a master-level Auth object
+function readOnly(config) {
+  return new Auth({ config, isMaster: true, isReadOnly: true });
+}
+
 // A helper to get a nobody-level Auth object
 function nobody(config) {
  return new Auth({ config, isMaster: false });
@@ -207,9 +213,10 @@ Auth.prototype._getAllRolesNamesForRoleIds = function(roleIDs, names = [], queri
 }

 module.exports = {
-  Auth: Auth,
-  master: master,
-  nobody: nobody,
+  Auth,
+  master,
+  nobody,
+  readOnly,
  getAuthForSessionToken,
  getAuthForLegacySessionToken
 };
--- a/src/Config.js
+++ b/src/Config.js
@@ -60,8 +60,15 @@ export class Config {
    emailVerifyTokenValidityDuration,
    accountLockout,
    passwordPolicy,
-    masterKeyIps
+    masterKeyIps,
+    masterKey,
+    readOnlyMasterKey,
  }) {
+
+    if (masterKey === readOnlyMasterKey) {
+      throw new Error('masterKey and readOnlyMasterKey should be different');
+    }
+
    const emailAdapter = userController.adapter;
    if (verifyUserEmails) {
      this.validateEmailConfiguration({emailAdapter, appName, publicServerURL, emailVerifyTokenValidityDuration});
--- a/src/Options/Definitions.js
+++ b/src/Options/Definitions.js
@@ -123,6 +123,10 @@ module.exports.ParseServerOptions = {
    "env": "PARSE_SERVER_REST_API_KEY",
    "help": "Key for REST calls"
  },
+  "readOnlyMasterKey": {
+    "env": "PARSE_SERVER_READ_ONLY_MASTER_KEY",
+    "help": "Read-only key, which has the same capabilities as MasterKey without writes"
+  },
  "webhookKey": {
    "env": "PARSE_SERVER_WEBHOOK_KEY",
    "help": "Key sent with outgoing webhook calls"
--- a/src/Options/index.js
+++ b/src/Options/index.js
@@ -58,6 +58,8 @@ export interface ParseServerOptions {
  /* Key for REST calls
  :ENV: PARSE_SERVER_REST_API_KEY */
  restAPIKey: ?string;
+  /* Read-only key, which has the same capabilities as MasterKey without writes */
+  readOnlyMasterKey: ?string;
  /* Key sent with outgoing webhook calls */
  webhookKey: ?string;
  /* Key for your files */
--- a/src/RestWrite.js
+++ b/src/RestWrite.js
@@ -25,6 +25,9 @@ import logger    from './logger';
 // everything. It also knows to use triggers and special modifications
 // for the _User class.
 function RestWrite(config, auth, className, query, data, originalData, clientSDK) {
+  if (auth.isReadOnly) {
+    throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Cannot perform a write operation when using readOnlyMasterKey');
+  }
  this.config = config;
  this.auth = auth;
  this.className = className;
--- a/src/Routers/GlobalConfigRouter.js
+++ b/src/Routers/GlobalConfigRouter.js
@@ -1,5 +1,5 @@
 // global_config.js
-
+import Parse           from 'parse/node';
 import PromiseRouter   from '../PromiseRouter';
 import * as middleware from "../middlewares";

@@ -16,6 +16,9 @@ export class GlobalConfigRouter extends PromiseRouter {
  }

  updateGlobalConfig(req) {
+    if (req.auth.isReadOnly) {
+      throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'read-only masterKey isn\'t allowed to update the config.');
+    }
    const params = req.body.params;
    // Transform in dot notation to make sure it works
    const update = Object.keys(params).reduce((acc, key) => {
--- a/src/Routers/PushRouter.js
+++ b/src/Routers/PushRouter.js
@@ -9,6 +9,9 @@ export class PushRouter extends PromiseRouter {
  }

  static handlePOST(req) {
+    if (req.auth.isReadOnly) {
+      throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'read-only masterKey isn\'t allowed to send push notifications.');
+    }
    const pushController = req.config.pushController;
    if (!pushController) {
      throw new Parse.Error(Parse.Error.PUSH_MISCONFIGURED, 'Push controller is not set');
--- a/src/Routers/SchemasRouter.js
+++ b/src/Routers/SchemasRouter.js
@@ -34,6 +34,9 @@ function getOneSchema(req) {
 }

 function createSchema(req) {
+  if (req.auth.isReadOnly) {
+    throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'read-only masterKey isn\'t allowed to create a schema.');
+  }
  if (req.params.className && req.body.className) {
    if (req.params.className != req.body.className) {
      return classNameMismatchResponse(req.body.className, req.params.className);
@@ -51,6 +54,9 @@ function createSchema(req) {
 }

 function modifySchema(req) {
+  if (req.auth.isReadOnly) {
+    throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'read-only masterKey isn\'t allowed to update a schema.');
+  }
  if (req.body.className && req.body.className != req.params.className) {
    return classNameMismatchResponse(req.body.className, req.params.className);
  }
@@ -64,6 +70,9 @@ function modifySchema(req) {
 }

 const deleteSchema = req => {
+  if (req.auth.isReadOnly) {
+    throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'read-only masterKey isn\'t allowed to delete a schema.');
+  }
  if (!SchemaController.classNameIsValid(req.params.className)) {
    throw new Parse.Error(Parse.Error.INVALID_CLASS_NAME, SchemaController.invalidClassNameMessage(req.params.className));
  }
--- a/src/middlewares.js
+++ b/src/middlewares.js
@@ -126,6 +126,13 @@ export function handleParseHeaders(req, res, next) {
    return;
  }

+  var isReadOnlyMaster = (info.masterKey === req.config.readOnlyMasterKey);
+  if (typeof req.config.readOnlyMasterKey != 'undefined' && req.config.readOnlyMasterKey && isReadOnlyMaster) {
+    req.auth = new auth.Auth({ config: req.config, installationId: info.installationId, isMaster: true, isReadOnly: true });
+    next();
+    return;
+  }
+
  // Client keys are not required in parse-server, but if any have been configured in the server, validate them
  //  to preserve original behavior.
  const keys = ["clientKey", "javascriptKey", "dotNetKey", "restAPIKey"];
--- a/src/rest.js
+++ b/src/rest.js
@@ -159,6 +159,12 @@ function enforceRoleSecurity(method, className, auth) {
    const error = `Clients aren't allowed to perform the ${method} operation on the ${className} collection.`
    throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error);
  }
+
+  // readOnly masterKey is not allowed
+  if (auth.isReadOnly && (method === 'delete' || method === 'create' || method === 'update')) {
+    const error = `read-only masterKey isn't allowed to perform the ${method} operation.`
+    throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error);
+  }
 }

 module.exports = {