Feature/refresh

src/server/__mocks__/mockDataFromES.js

@@ -13,6 +13,18 @@ const mockPing = () => {
     .reply(200, 'hello');
 };
 
+const mockRefresh = () => {
+  if (config.allowRefresh) {
+    nock(config.esConfig.host)
+      .post('/_refresh')
+      .reply(200, '[Server] guppy refreshed successfully');
+  } else {
+    nock(config.esConfig.host)
+      .post('/_refresh')
+      .reply(404, '[Server] guppy _refresh functionality is not enabled');
+  }
+};
+
 const mockResourcePath = () => {
   const queryResource = {
     size: 0,
@@ -405,6 +417,7 @@ const mockArrayConfig = () => {
 const setup = () => {
   mockArborist();
   mockPing();
+  mockRefresh();
   mockResourcePath();
   mockESMapping();
   mockArrayConfig();

src/server/__tests__/config.test.js

@@ -97,4 +97,11 @@ describe('config', () => {
     expect(config.esConfig.aggregationIncludeMissingData).toBe(true);
     expect(config.esConfig.missingDataAlias).toEqual(alias);
   });
+
+  /* --------------- For _refresh testing --------------- */
+  test('could not access _refresh method if not in config', async () => {
+    process.env.GUPPY_CONFIG_FILEPATH = `${__dirname}/testConfigFiles/test-no-refresh-option-provided.json`;
+    const config = require("../config").default;
+    expect(config.allowRefresh).toBe(false);
+  });
 });

src/server/__tests__/testConfigFiles/test-no-refresh-option-provided.json

@@ -0,0 +1 @@
+{}

src/server/auth/__tests__/authHelper.test.js

@@ -1,5 +1,5 @@
 // eslint-disable-next-line
-import nock from 'nock'; // must import this to enable mock data by nock 
+import nock from 'nock'; // must import this to enable mock data by nock
 import getAuthHelperInstance from '../authHelper';
 import esInstance from '../../es/index';
 import setupMockDataEndpoint from '../../__mocks__/mockDataFromES';
@@ -12,6 +12,7 @@ setupMockDataEndpoint();
 describe('AuthHelper', () => {
   test('could create auth helper instance', async () => {
     const authHelper = await getAuthHelperInstance('fake-jwt');
+    expect(authHelper.getCanRefresh()).toEqual(false);
     expect(authHelper.getAccessibleResources()).toEqual(['internal-project-1', 'internal-project-2', 'internal-project-4', 'internal-project-5']);
     expect(authHelper.getAccessibleResources()).not.toContain(['internal-project-3', 'internal-project-6']);
     expect(authHelper.getUnaccessibleResources()).toEqual(['external-project-1', 'external-project-2']);

src/server/auth/arboristClient.js

@@ -8,10 +8,10 @@ class ArboristClient {
     this.baseEndpoint = arboristEndpoint;
   }
 
-  listAuthorizedResources(jwt) {
+  listAuthMapping(jwt) {
     // Make request to arborist for list of resources with access
     const resourcesEndpoint = `${this.baseEndpoint}/auth/mapping`;
-    log.debug('[ArboristClient] listAuthorizedResources jwt: ', jwt);
+    log.debug('[ArboristClient] listAuthMapping jwt: ', jwt);
 
     const headers = (jwt) ? { Authorization: `bearer ${jwt}` } : {};
     return fetch(
@@ -40,29 +40,6 @@ class ArboristClient {
         log.error(err);
         throw new CodedError(500, err);
       },
-    ).then(
-      (result) => {
-        const data = {
-          resources: [],
-        };
-        Object.keys(result).forEach((key) => {
-        // logic: you have access to a project if you have the following access:
-        // method 'read' (or '*' - all methods) to service 'guppy' (or '*' - all services)
-        // on the project resource.
-          if (result[key] && result[key].some((x) => (
-            (x.method === 'read' || x.method === '*')
-          && (x.service === 'guppy' || x.service === '*')
-          ))) {
-            data.resources.push(key);
-          }
-        });
-        log.debug('[ArboristClient] data: ', data);
-        return data;
-      },
-      (err) => {
-        log.error(err);
-        throw new CodedError(500, err);
-      },
     );
   }
 }

src/server/auth/authHelper.js

@@ -5,6 +5,7 @@ import {
   getRequestResourceListFromFilter,
   buildFilterWithResourceList,
   getAccessibleResourcesFromArboristasync,
+  canRefresh,
 } from './utils';
 import config from '../config';
 
@@ -18,6 +19,9 @@ export class AuthHelper {
       this._accessibleResourceList = await getAccessibleResourcesFromArboristasync(this._jwt);
       log.debug('[AuthHelper] accessible resources:', this._accessibleResourceList);
 
+      this._canRefresh = await canRefresh(this._jwt);
+      log.debug('[AuthHelper] can user refresh:', this._canRefresh);
+
       const promiseList = [];
       config.esConfig.indices.forEach(({ index, type }) => {
         const subListPromise = this.getOutOfScopeResourceList(index, type);
@@ -39,6 +43,10 @@ export class AuthHelper {
     return this._accessibleResourceList;
   }
 
+  getCanRefresh(){
+    return this._canRefresh
+  }
+
   getUnaccessibleResources() {
     return this._unaccessibleResourceList;
   }

src/server/auth/utils.js

@@ -16,7 +16,7 @@ export const getAccessibleResourcesFromArboristasync = async (jwt) => {
       ],
     };
   } else {
-    data = await arboristClient.listAuthorizedResources(jwt);
+    data = await arboristClient.listAuthMapping(jwt);
   }
 
   log.debug('[authMiddleware] list resources: ', JSON.stringify(data, null, 4));
@@ -27,10 +27,39 @@ export const getAccessibleResourcesFromArboristasync = async (jwt) => {
     }
     throw new CodedError(data.error.code, data.error.message);
   }
+
+  data = resourcePathsWithServiceMethodCombination(data, ['guppy', '*'], ['read', '*'])
   const resources = data.resources ? _.uniq(data.resources) : [];
   return resources;
 };
 
+export const canRefresh = async (jwt) => {
+  let data;
+  if (config.internalLocalTest) {
+    data = {
+      resources: [ // these are just for testing
+        '/programs/DEV/projects/test',
+        '/programs/jnkns/projects/jenkins',
+      ],
+    };
+  } else {
+    data = await arboristClient.listAuthMapping(jwt);
+  }
+
+  log.debug('[authMiddleware] list resources: ', JSON.stringify(data, null, 4));
+  if (data && data.error) {
+    // if user is not in arborist db, assume has no access to any
+    if (data.error.code === 404) {
+      return false;
+    }
+    throw new CodedError(data.error.code, data.error.message);
+  }
+  data = resourcePathsWithServiceMethodCombination(data, ['guppy'], ['admin_access', '*'])
+
+  // Only guppy_admin resource path can control guppy admin access
+  return data.resources ? data.resources.includes('/guppy_admin') : false;
+};
+
 export const getRequestResourceListFromFilter = async (
   esIndex,
   esType,
@@ -49,3 +78,20 @@ export const buildFilterWithResourceList = (resourceList = []) => {
   };
   return filter;
 };
+
+export const resourcePathsWithServiceMethodCombination = (userAuthMapping, services, methods = {}) => {
+  const data = {
+    resources: [],
+  };
+  Object.keys(userAuthMapping).forEach((key) => {
+  // logic: you have access to a project if you have
+  // access to any of the combinations made by the method and service lists
+  if (userAuthMapping[key] && userAuthMapping[key].some((x) => (
+        methods.includes(x.method)
+        && services.includes(x.service)
+      ))) {
+        data.resources.push(key);
+      }
+  });
+  return data
+}

src/server/config.js

@@ -38,6 +38,7 @@ const config = {
   analyzedTextFieldSuffix: '.analyzed',
   matchedTextHighlightTagName: 'em',
   allowedMinimumSearchLen: 2,
+  allowRefresh: inputConfig.allowRefresh || false,
 };
 
 if (process.env.GEN3_ES_ENDPOINT) {

src/server/server.js

@@ -19,22 +19,50 @@ import downloadRouter from './download';
 import CodedError from './utils/error';
 import { statusRouter, versionRouter } from './endpoints';
 
+let server;
 const app = express();
 app.use(cors());
 app.use(helmet());
 app.use(bodyParser.json({ limit: '50mb' }));
 
+const refreshRouter  = async (req, res, next) => {
+  res.setHeader('Content-Type', 'application/json; charset=utf-8');
+  try {
+    if (config.allowRefresh === false) {
+      const disabledRefresh = new CodedError(404, '[Refresh] guppy _refresh functionality is not enabled');
+      throw disabledRefresh;
+    }
+    else if (config.allowRefresh) {
+      log.debug('[Refresh] ', JSON.stringify(req.body, null, 4));
+      const jwt = headerParser.parseJWT(req);
+      if (!jwt) {
+        const noJwtError = new CodedError(401, '[Refresh] no JWT user token provided to _refresh function');
+        throw noJwtError;
+      }
+      const authHelper = await getAuthHelperInstance(jwt);
+      if (authHelper._canRefresh === undefined || authHelper._canRefresh === false) {
+        const noPermsUser = new CodedError(401, '[Refresh] User cannot refresh Guppy without a valid token that has admin_access method on guppy service for resource path /guppy_admin');
+        throw noPermsUser;
+      }
+      await server.stop()
+      await initializeAndStartServer();
+    }
+    res.send("[Refresh] guppy refreshed successfully")
+  } catch (err) {
+    log.error(err);
+    next(err);
+  }
+  return 0;
+};
+
 const startServer = async () => {
   // build schema and resolvers by parsing elastic search fields and types,
   const typeDefs = getSchema(config.esConfig, esInstance);
   const resolvers = getResolver(config.esConfig, esInstance);
   const schema = makeExecutableSchema({ typeDefs, resolvers });
-  const schemaWithMiddleware = applyMiddleware(
-    schema,
-    ...middlewares,
-  );
-    // create graphql server instance
-  const server = new ApolloServer({
+  const schemaWithMiddleware = applyMiddleware(schema, ...middlewares);
+  // create graphql server instance
+  server = new ApolloServer({
     mocks: false,
     schema: schemaWithMiddleware,
     validationRules: [depthLimit(10)],
@@ -57,43 +85,49 @@ const startServer = async () => {
       path: config.path,
     }),
   );
+  log.info(`[Server] guppy listening on port ${config.port}!`);
+};
 
-  // simple health check endpoint
-  // eslint-disable-next-line no-unused-vars
-  app.get('/_status', statusRouter, (req, res, err, next) => {
-    if (err instanceof CodedError) {
-      // deepcode ignore ServerLeak: no important information exists in error
-      res.status(err.code).send(err.msg);
-    } else {
-      // deepcode ignore ServerLeak: no important information exists in error
-      res.status(500).send(err);
-    }
-  });
+const initializeAndStartServer = async () => {
+  await esInstance.initialize();
+  await startServer();
+};
+// simple health check endpoint
+// eslint-disable-next-line no-unused-vars
+app.get('/_status', statusRouter, (req, res, err, next) => {
+  if (err instanceof CodedError) {
+    // deepcode ignore ServerLeak: no important information exists in error
+    res.status(err.code).send(err.msg);
+  } else {
+    // deepcode ignore ServerLeak: no important information exists in error
+    res.status(500).send(err);
+  }
+});
 
-  // eslint-disable-next-line no-unused-vars
-  app.get('/_version', versionRouter);
+// eslint-disable-next-line no-unused-vars
+app.get('/_version', versionRouter);
 
-  // download endpoint for fetching data directly from es
-  app.post(
-    '/download',
-    downloadRouter,
-    (err, req, res, next) => { // eslint-disable-line no-unused-vars
-      if (err instanceof CodedError) {
-        // deepcode ignore ServerLeak: no important information exists in error
-        res.status(err.code).send(err.msg);
-      } else {
-        // deepcode ignore ServerLeak: no important information exists in error
-        res.status(500).send(err);
-      }
-    },
-  );
+// download endpoint for fetching data directly from es
+app.post('/download', downloadRouter, (err, req, res, next) => {
+  // eslint-disable-line no-unused-vars
+  if (err instanceof CodedError) {
+    // deepcode ignore ServerLeak: no important information exists in error
+    res.status(err.code).send(err.msg);
+  } else {
+    // deepcode ignore ServerLeak: no important information exists in error
+    res.status(500).send(err);
+  }
+});
 
-  app.listen(config.port, () => {
-    log.info(`[Server] guppy listening on port ${config.port}!`);
-  });
-};
+app.post('/_refresh',refreshRouter,   (err, req, res, next) => {
+  if (err instanceof CodedError) {
+    res.status(err.code).send(err.msg);
+  }else{
+    res.status(500).send(err)
+  }
+});
 
 // need to connect to ES and initialize before setting up a server
-esInstance.initialize().then(() => {
-  startServer();
+app.listen(config.port, async () => {
+  await initializeAndStartServer();
 });

startServer.sh

@@ -4,4 +4,4 @@ if [[ -z "$DD_TRACE_ENABLED" ]]; then
     export DD_TRACE_ENABLED=false
 fi
 
-node --max-http-header-size 16000 --require dd-trace/init dist/server/server.js
+node --max-http-header-size 16000 --require dd-trace/init dist/server/server.js