Merge pull request #1 from ministryofjustice/ag/check-user

Added basic authorisation

app.js

@@ -12,7 +12,6 @@ var Auth0Strategy = require('passport-auth0');
 dotenv.load();
 
 var routes = require('./routes/index');
-//var reports = require('./routes/reports');
 
 // This will configure Passport to use Auth0
 var strategy = new Auth0Strategy({
@@ -55,7 +54,6 @@ app.use(passport.initialize());
 app.use(passport.session());
 app.use(express.static(path.join(__dirname, 'public')));
 
-//app.use('/reports/', reports);
 app.use('/', routes);
 
 app.use(bodyParser.json());

circle.yml

@@ -3,6 +3,7 @@ machine:
  - docker
  environment:
  DOCKER_IMAGE_NAME: quay.io/mojanalytics/rstudio-auth-proxy
+ DOCKER_IMAGE_TAG: $(echo $CIRCLE_SHA1 | cut -c -8)
 
 dependencies:
  cache_directories:
@@ -21,8 +22,8 @@ deployment:
  production:
  branch: master
  commands:
- - docker login -u ${QUAY_USERNAME} -p ${QUAY_PASSWORD} -e ${QUAY_EMAIL} quay.io
- - docker build -t $DOCKER_IMAGE_NAME:${CIRCLE_SHA1} .
- - docker tag -f $DOCKER_IMAGE_NAME:${CIRCLE_SHA1} $DOCKER_IMAGE_NAME:latest
- - docker push $DOCKER_IMAGE_NAME:${CIRCLE_SHA1}
+ - docker login -u $QUAY_USERNAME -p $QUAY_PASSWORD -e $QUAY_EMAIL quay.io
+ - docker build -t $DOCKER_IMAGE_NAME:$DOCKER_IMAGE_TAG .
+ - docker tag -f $DOCKER_IMAGE_NAME:$DOCKER_IMAGE_TAG $DOCKER_IMAGE_NAME:latest
+ - docker push $DOCKER_IMAGE_NAME:$DOCKER_IMAGE_TAG
  - docker push $DOCKER_IMAGE_NAME:latest

routes/index.js

@@ -7,7 +7,8 @@ var router = express.Router();
 var env = {
  AUTH0_CLIENT_ID: process.env.AUTH0_CLIENT_ID,
  AUTH0_DOMAIN: process.env.AUTH0_DOMAIN,
- AUTH0_CALLBACK_URL: process.env.AUTH0_CALLBACK_URL || 'http:https://localhost:3000/callback'
+ AUTH0_CALLBACK_URL: process.env.AUTH0_CALLBACK_URL || 'http:https://localhost:3000/callback',
+ USER: process.env.USER,
 }
 
 var proxy = httpProxy.createProxyServer({
@@ -23,31 +24,22 @@ proxy.on('error', function(e) {
  console.log(e);
 });
 
-var setIfExists = function(proxyReq, header, value){
- if(value){
- proxyReq.setHeader(header, value);
- }
-}
-
 proxy.on('proxyReq', function(proxyReq, req, res, options) {
  if(req.user){
- // setIfExists(proxyReq, 'x-auth0-nickname', req.user._json.nickname);
- // setIfExists(proxyReq, 'x-auth0-user_id', req.user._json.user_id);
- // setIfExists(proxyReq, 'x-auth0-email', req.user._json.email);
- // setIfExists(proxyReq, 'x-auth0-name', req.user._json.name);
- // setIfExists(proxyReq, 'x-auth0-picture', req.user._json.picture);
- // setIfExists(proxyReq, 'x-auth0-locale', req.user._json.locale);
- //setIfExists(proxyReq, 'X-RStudio-Username', req.user._json.nickname);
-
  // make sure Github usernames are lowercased - username is used in k8s resource labels,
  // which only allow lowercase
  if(req.user.__json && req.user.__json.nickname){
- proxyReq.setHeader('X-RStudio-Username', req.user.__json.nickname.toLowerCase())
+ var nickname = req.user.__json.nickname.toLowerCase()
+ if (nickname === env.USER) {
+ proxyReq.setHeader('X-RStudio-Username', nickname)
+ } else {
+ // Not the owner of the machine - 403 FORBIDDEN
+ res.sendStatus(403);
+ }
  }
  }
 });
 
-
 /* Handle login */
 router.get('/login',
  function(req, res){
@@ -83,11 +75,5 @@ router.all(/.*/, ensureLoggedIn, function(req, res, next) {
  proxy.web(req, res);
 });
 
-/* GET home page. */
-// router.get('/', function(req, res, next) {
-// res.redirect('/reports/');
-// });
-
-
 
 module.exports = router;