Add route for impersonating users from association id

.gitignore

@@ -9,3 +9,4 @@ yarn-error.log
 npm-error.log
 /.vscode
 /.idea
+.env

impersonate.js

@@ -0,0 +1,100 @@
+const fetchPromise = import("node-fetch");
+
+async function getSaToken() {
+  const fetch = (await fetchPromise).default;
+
+  const resp = await fetch(
+    "https://sso.csh.rit.edu/auth/realms/master/protocol/openid-connect/token",
+    {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Authorization: `Basic ${Buffer.from(
+          process.env.GK_SA_USERNAME + ":" + process.env.GK_SA_PASSWORD
+        ).toString("base64")}`,
+      },
+      body: "grant_type=client_credentials",
+    }
+  );
+  const json = await resp.json();
+
+  return json["access_token"];
+}
+
+async function getUidFromUsername(username, saToken) {
+  const fetch = (await fetchPromise).default;
+
+  const resp = await fetch(
+    "https://sso.csh.rit.edu/auth/admin/realms/csh/users?username=" + username,
+    {
+      headers: {
+        Authorization: `Bearer ${saToken}`,
+      },
+    }
+  );
+  const json = await resp.json();
+
+  return json[0]["id"];
+}
+
+async function getImpersonationSession(userId, saToken) {
+  const fetch = (await fetchPromise).default;
+
+  const resp = await fetch(
+    `https://sso.csh.rit.edu/auth/admin/realms/csh/users/${userId}/impersonation`,
+    {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${saToken}`,
+      },
+    }
+  );
+  const headers = resp.headers;
+  const cookies = headers.get("set-cookie");
+
+  const identityRegex = /KEYCLOAK_IDENTITY=\S+/;
+  const sessionRegex = /KEYCLOAK_SESSION=\S+/;
+
+  const identity = identityRegex
+    .exec(cookies)[0]
+    .split("=")[1]
+    .replace(";", "");
+  const session = sessionRegex.exec(cookies)[0].split("=")[1].replace(";", "");
+
+  return {identity, session};
+}
+
+async function getUserToken(identity, session) {
+  const fetch = (await fetchPromise).default;
+
+  const resp = await fetch(
+    "https://sso.csh.rit.edu/auth/realms/csh/protocol/openid-connect/auth?client_id=gatekeeper&response_type=token&response_mode=fragment&redirect_uri=https%3A%2F%2Fgatekeeper.csh.rit.edu%2Fcallback",
+    {
+      method: "GET",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Cookie: `KEYCLOAK_SESSION=${session}; KEYCLOAK_IDENTITY=${identity};`,
+      },
+      redirect: "manual",
+    }
+  );
+
+  const headers = resp.headers;
+  const location = new URL(headers.get("location").replace("#", "?"));
+
+  let accessToken = location.searchParams.get("access_token");
+
+  return accessToken;
+}
+
+async function getImpersonationToken(userId) {
+  const saToken = await getSaToken();
+  const uid = await getUidFromUsername(userId, saToken);
+  const {identity, session} = await getImpersonationSession(uid, saToken);
+  const accessToken = await getUserToken(identity, session);
+  return {uid, userId, accessToken};
+}
+
+module.exports = {
+  getImpersonationToken,
+};

package.json

@@ -15,6 +15,7 @@
     "ldapjs": "^2.3.1",
     "mongodb": "^3.6.9",
     "morgan": "^1.10.0",
-    "mqtt": "^4.2.6"
+    "mqtt": "^4.2.6",
+    "node-fetch": "^3.2.3"
   }
 }

routes/memberProjects.js

@@ -1,5 +1,6 @@
 const router = require("express").Router();
 const ldap = require("../ldap");
+const impersonate = require("../impersonate");
 
 function findUser(id) {
   return new Promise((resolve, reject) => {
@@ -88,4 +89,53 @@ router.get("/by-key/:associationId", async (req, res) => {
   });
 });
 
+router.get("/impersonate/:associationId", async (req, res) => {
+  const key = await req.ctx.db.collection("keys").findOne({
+    [req.associationType]: {$eq: req.params.associationId},
+  });
+
+  if (!key) {
+    res.status(404).json({message: "Not found"});
+    return;
+  }
+
+  const userDocument = await req.ctx.db.collection("users").findOne({
+    id: {$eq: key.userId},
+    disabled: {$ne: true},
+  });
+  if (!userDocument) {
+    res.status(404).json({message: "User not found or disabled"});
+    return;
+  }
+
+  let user;
+  try {
+    user = await findUser(key.userId);
+  } catch (err) {
+    res.status(500).json({message: "Internal server error"});
+    return;
+  }
+
+  const response = {};
+  for (const attribute of user.attributes) {
+    if (attribute.type == "jpegPhoto") {
+      response[attribute.type] = attribute._vals[0].toString("base64");
+    } else {
+      const values = attribute._vals.map((value) => value.toString("utf8"));
+      if (ARRAYS.has(attribute.type)) {
+        response[attribute.type] = values;
+      } else {
+        if (values.length > 1) {
+          console.warn(`${attribute.type} has many values!!`);
+        }
+        response[attribute.type] = values.join(",");
+      }
+    }
+  }
+
+  const uid = response["uid"];
+
+  res.json(await impersonate.getImpersonationToken(uid));
+});
+
 module.exports = router;