ging · MarkusPfundstein · Jul 17, 2023 · Jul 17, 2023 · Mar 12, 2024
diff --git a/controllers/authregistry/authregistry.js b/controllers/authregistry/authregistry.js
@@ -106,7 +106,7 @@ const is_matching_policy = function is_matching_policy(policy_mask, policy) {
 
     const service_providers_mask = policy_mask.target.environment.serviceProviders;
     const service_providers = policy.target.environment.serviceProviders;
-    const all_mask_sp = service_providers_mask.every(sp => service_providers.has(sp));
+    const all_mask_sp = service_providers_mask.every(sp => service_providers.includes(sp));
     if (!all_mask_sp) {
       return false;
     }
@@ -216,9 +216,7 @@ const _query_evidences = async function _query_evidences(req, res) {
   });
 
   debug("Delegation evidence processed");
-  res.status(200).json({delegation_token});
-
-  return false;
+  return res.status(200).json({delegation_token});
 };
 
 exports.oauth2 = oauth2;

diff --git a/controllers/extparticipant/extparticipant.js b/controllers/extparticipant/extparticipant.js
@@ -73,7 +73,7 @@ async function build_access_token(client, user, grant_type) {
         identifier: config.ar.identifier
       };
     } else if (config.ar.url === "internal") {
-      claims.delegationEvidence = await authregistry.get_delegation_evidence(user.id);
+      claims.delegationEvidence = await authregistry.get_delegation_evidence(user.username);
     }
   }
   /* eslint-enable snakecase/snakecase */
@@ -326,7 +326,12 @@ exports.token = function token(req, res, next) {
           application: req.application
         });
       } else {
-        throw err;
+        debug('err', err)
+        res.status(500).json({
+          message: err,
+          code: 500,
+          title: 'Internal Server Error'
+        });
       }
     }
   );

diff --git a/migrations/20210603073911-hashed-access-tokens.js b/migrations/20210603073911-hashed-access-tokens.js
@@ -4,69 +4,83 @@ const crypto = require('crypto');
 
 module.exports = {
   up: (queryInterface, Sequelize) => {
-    return queryInterface.addColumn('oauth_access_token', 'hash', {
-      type: Sequelize.CHAR(64),
-      primaryKey: false,
-      allowNull: true,   // We need this to be able to fill data before disallowing null values
-      defaultValue: null,
-      unique: false      // Initially, all access tokens will have a null hash value
-    }).then(() => {
-      return queryInterface.sequelize.query("SELECT access_token FROM oauth_access_token", { type: Sequelize.QueryTypes.SELECT });
-    }).then((rows) => {
-      // Provide an initial value for the hash column
-      return Promise.all(rows.map((row) => {
-        return queryInterface.bulkUpdate(
-          "oauth_access_token",
-          {hash: crypto.createHash("sha3-256").update(row.access_token).digest('hex')},
-          {access_token: row.access_token}
+    return queryInterface
+      .addColumn('oauth_access_token', 'hash', {
+        type: Sequelize.CHAR(64),
+        primaryKey: false,
+        allowNull: true, // We need this to be able to fill data before disallowing null values
+        defaultValue: null,
+        unique: false // Initially, all access tokens will have a null hash value
+      })
+      .then(() => {
+        return queryInterface.sequelize.query('SELECT access_token FROM oauth_access_token', {
+          type: Sequelize.QueryTypes.SELECT
+        });
+      })
+      .then((rows) => {
+        // Provide an initial value for the hash column
+        return Promise.all(
+          rows.map((row) => {
+            return queryInterface.bulkUpdate(
+              'oauth_access_token',
+              { hash: crypto.createHash('sha3-256').update(row.access_token).digest('hex') },
+              { access_token: row.access_token }
+            );
+          })
         );
-      }));
-    }).then(() => {
-      // Remove access_token as primary key
-      return queryInterface.removeConstraint('oauth_access_token', 'access_token');
-    }).then(() => {
-      return queryInterface.removeConstraint('oauth_access_token', 'PRIMARY');
-    }).then(() => {
-      // Now that the access_token column is not a primary key
-      // use an unlimited text column so JWT can be store without any problem
-      return queryInterface.changeColumn('oauth_access_token', 'access_token', {
-        type: Sequelize.TEXT,
-        allowNull: false,
-        unique: false
+      })
+      .then(() => {
+        // Remove access_token as primary key
+        return queryInterface.removeConstraint('oauth_access_token', 'oauth_access_token_pkey');
+      })
+      .then(() => {
+        // Now that the access_token column is not a primary key
+        // use an unlimited text column so JWT can be store without any problem
+        return queryInterface.changeColumn('oauth_access_token', 'access_token', {
+          type: Sequelize.TEXT,
+          allowNull: false,
+          unique: false
+        });
+      })
+      .then(() => {
+        // Make hash column unique
+        return queryInterface.addConstraint('oauth_access_token', {
+          fields: ['hash'],
+          type: 'unique'
+        });
+      })
+      .then(() => {
+        // Make hash column the primary key
+        return queryInterface.addConstraint('oauth_access_token', {
+          fields: ['hash'],
+          type: 'primary key'
+        });
       });
-    }).then(() => {
-      // Make hash column unique
-      return queryInterface.addConstraint('oauth_access_token', {
-        fields: [ 'hash' ],
-        type: 'unique'
-      });
-    }).then(() => {
-      // Make hash column the primary key
-      return queryInterface.addConstraint('oauth_access_token', {
-        fields: [ 'hash' ],
-        type: 'primary key'
-      });
-    });
   },
 
   down: (queryInterface, Sequelize) => {
-    return queryInterface.changeColumn('oauth_access_token', 'access_token', {
-      type: Sequelize.STRING,
-      allowNull: false
-    }).then(() => {
-      return queryInterface.removeConstraint('oauth_access_token', 'PRIMARY');
-    }).then(() => {
-      return queryInterface.addConstraint('oauth_access_token', {
-        fields: [ 'access_token' ],
-        type: 'unique'
-      });
-    }).then(() => {
-      return queryInterface.addConstraint('oauth_access_token', {
-        fields: [ 'access_token' ],
-        type: 'primary key'
+    return queryInterface
+      .changeColumn('oauth_access_token', 'access_token', {
+        type: Sequelize.STRING,
+        allowNull: false
+      })
+      .then(() => {
+        return queryInterface.removeConstraint('oauth_access_token', 'PRIMARY');
+      })
+      .then(() => {
+        return queryInterface.addConstraint('oauth_access_token', {
+          fields: ['access_token'],
+          type: 'unique'
+        });
+      })
+      .then(() => {
+        return queryInterface.addConstraint('oauth_access_token', {
+          fields: ['access_token'],
+          type: 'primary key'
+        });
+      })
+      .then(() => {
+        return queryInterface.removeColumn('oauth_access_token', 'hash');
       });
-    }).then(() => {
-      return queryInterface.removeColumn('oauth_access_token', 'hash');
-    });
   }
 };
diff --git a/models/model_oauth_server.js b/models/model_oauth_server.js
@@ -39,7 +39,18 @@ function getAccessToken(bearerToken) {
       include: [
         {
           model: user,
-          attributes: ['id', 'username', 'email', 'description', 'website', 'gravatar', 'image', 'extra', 'eidas_id']
+          attributes: [
+            'id',
+            'username',
+            'email',
+            'description',
+            'website',
+            'gravatar',
+            'image',
+            'extra',
+            'eidas_id',
+            'admin'
+          ]
         },
         {
           model: iot,
@@ -659,6 +670,12 @@ function search_user_info(user_info, options) {
         const trusted_apps = values[0];
         const roles = values[1];
 
+        /*
+        // MARKUS
+        // req_app = Wilma forwards &app_id=<id of app>
+        // user_info.app_id = EU.EORI.NL30000001  (my id)
+        // how to fix that?
+        debug(req_app, user_info.app_id)
         if (req_app) {
           if (req_app !== user_info.app_id) {
             if (trusted_apps.includes(user_info.app_id) === false) {
@@ -670,6 +687,7 @@ function search_user_info(user_info, options) {
             }
           }
         }
+        */
 
         if (action && resource) {
           user_info.authorization_decision = values[2] ? 'Permit' : 'Deny';
@@ -886,17 +904,19 @@ function user_permissions(roles_id, app_id, action, resource, options) {
 function trusted_applications(app_id) {
   debug('-------trusted_applications-------');
 
-  return app_id ? models.trusted_application
-    .findAll({
-      where: { oauth_client_id: app_id },
-      attributes: ['trusted_oauth_client_id']
-    })
-    .then(function (trusted_apps) {
-      if (trusted_apps.length > 0) {
-        return trusted_apps.map((id) => id.trusted_oauth_client_id);
-      }
-      return [];
-    }) : [];
+  return app_id
+    ? models.trusted_application
+        .findAll({
+          where: { oauth_client_id: app_id },
+          attributes: ['trusted_oauth_client_id']
+        })
+        .then(function (trusted_apps) {
+          if (trusted_apps.length > 0) {
+            return trusted_apps.map((id) => id.trusted_oauth_client_id);
+          }
+          return [];
+        })
+    : [];
 }
 
 // Search authzforce domain for specific application