Fix jwt-token

2025-09-13 14:09:33 +02:00
parent 98c75c125d
commit f946816fdb
7 changed files with 1689 additions and 1 deletions
--- a/server/middleware/rbac.js
+++ b/server/middleware/rbac.js
@@ -0,0 +1,231 @@
+/**
+ * Role-Based Access Control (RBAC) System
+ * Defines granular permissions for different roles
+ */
+
+// Define specific permissions
+const PERMISSIONS = {
+  // General tenant management
+  'tenant.view': 'View tenant information',
+  'tenant.edit': 'Edit basic tenant settings',
+  
+  // Branding permissions
+  'branding.view': 'View branding settings',
+  'branding.edit': 'Edit branding and appearance',
+  
+  // Security permissions
+  'security.view': 'View security settings',
+  'security.edit': 'Edit security settings and IP restrictions',
+  
+  // User management permissions
+  'users.view': 'View user list',
+  'users.create': 'Create new users',
+  'users.edit': 'Edit user details',
+  'users.delete': 'Delete or deactivate users',
+  'users.manage_roles': 'Change user roles',
+  
+  // Authentication permissions
+  'auth.view': 'View authentication settings',
+  'auth.edit': 'Edit authentication provider settings',
+  
+  // Operational permissions
+  'dashboard.view': 'View dashboard',
+  'devices.view': 'View devices',
+  'devices.manage': 'Add, edit, delete devices',
+  'detections.view': 'View detections',
+  'alerts.view': 'View alerts',
+  'alerts.manage': 'Manage alert configurations',
+  'debug.access': 'Access debug information'
+};
+
+// Role definitions with their permissions
+const ROLES = {
+  // Full tenant administrator
+  'admin': [
+    'tenant.view', 'tenant.edit',
+    'branding.view', 'branding.edit',
+    'security.view', 'security.edit',
+    'users.view', 'users.create', 'users.edit', 'users.delete', 'users.manage_roles',
+    'auth.view', 'auth.edit',
+    'dashboard.view',
+    'devices.view', 'devices.manage',
+    'detections.view',
+    'alerts.view', 'alerts.manage',
+    'debug.access'
+  ],
+  
+  // User management specialist
+  'user_admin': [
+    'tenant.view',
+    'users.view', 'users.create', 'users.edit', 'users.delete', 'users.manage_roles',
+    'dashboard.view',
+    'devices.view',
+    'detections.view',
+    'alerts.view'
+  ],
+  
+  // Security specialist
+  'security_admin': [
+    'tenant.view',
+    'security.view', 'security.edit',
+    'auth.view', 'auth.edit',
+    'users.view',
+    'dashboard.view',
+    'devices.view',
+    'detections.view',
+    'alerts.view'
+  ],
+  
+  // Branding/marketing specialist
+  'branding_admin': [
+    'tenant.view',
+    'branding.view', 'branding.edit',
+    'dashboard.view',
+    'devices.view',
+    'detections.view',
+    'alerts.view'
+  ],
+  
+  // Operations manager
+  'operator': [
+    'tenant.view',
+    'dashboard.view',
+    'devices.view', 'devices.manage',
+    'detections.view',
+    'alerts.view', 'alerts.manage'
+  ],
+  
+  // Read-only user
+  'viewer': [
+    'dashboard.view',
+    'devices.view',
+    'detections.view',
+    'alerts.view'
+  ]
+};
+
+/**
+ * Check if a user has a specific permission
+ * @param {string} userRole - The user's role
+ * @param {string} permission - The permission to check
+ * @returns {boolean} - True if user has permission
+ */
+const hasPermission = (userRole, permission) => {
+  if (!userRole || !ROLES[userRole]) {
+    return false;
+  }
+  return ROLES[userRole].includes(permission);
+};
+
+/**
+ * Check if a user has any of the specified permissions
+ * @param {string} userRole - The user's role
+ * @param {Array<string>} permissions - Array of permissions to check
+ * @returns {boolean} - True if user has at least one permission
+ */
+const hasAnyPermission = (userRole, permissions) => {
+  return permissions.some(permission => hasPermission(userRole, permission));
+};
+
+/**
+ * Check if a user has all of the specified permissions
+ * @param {string} userRole - The user's role
+ * @param {Array<string>} permissions - Array of permissions to check
+ * @returns {boolean} - True if user has all permissions
+ */
+const hasAllPermissions = (userRole, permissions) => {
+  return permissions.every(permission => hasPermission(userRole, permission));
+};
+
+/**
+ * Get all permissions for a role
+ * @param {string} userRole - The user's role
+ * @returns {Array<string>} - Array of permissions
+ */
+const getPermissions = (userRole) => {
+  return ROLES[userRole] || [];
+};
+
+/**
+ * Get all available roles
+ * @returns {Array<string>} - Array of role names
+ */
+const getRoles = () => {
+  return Object.keys(ROLES);
+};
+
+/**
+ * Express middleware to check permissions
+ * @param {Array<string>} requiredPermissions - Required permissions
+ * @returns {Function} - Express middleware function
+ */
+const requirePermissions = (requiredPermissions) => {
+  return (req, res, next) => {
+    if (!req.user || !req.user.role) {
+      return res.status(401).json({
+        success: false,
+        message: 'Authentication required'
+      });
+    }
+
+    const userRole = req.user.role;
+    const hasRequiredPermissions = requiredPermissions.every(permission => 
+      hasPermission(userRole, permission)
+    );
+
+    if (!hasRequiredPermissions) {
+      return res.status(403).json({
+        success: false,
+        message: 'Insufficient permissions',
+        required_permissions: requiredPermissions,
+        user_role: userRole
+      });
+    }
+
+    next();
+  };
+};
+
+/**
+ * Express middleware to check if user has any of the specified permissions
+ * @param {Array<string>} permissions - Array of permissions
+ * @returns {Function} - Express middleware function
+ */
+const requireAnyPermission = (permissions) => {
+  return (req, res, next) => {
+    if (!req.user || !req.user.role) {
+      return res.status(401).json({
+        success: false,
+        message: 'Authentication required'
+      });
+    }
+
+    const userRole = req.user.role;
+    const hasRequiredPermission = permissions.some(permission => 
+      hasPermission(userRole, permission)
+    );
+
+    if (!hasRequiredPermission) {
+      return res.status(403).json({
+        success: false,
+        message: 'Insufficient permissions',
+        required_permissions: permissions,
+        user_role: userRole
+      });
+    }
+
+    next();
+  };
+};
+
+module.exports = {
+  PERMISSIONS,
+  ROLES,
+  hasPermission,
+  hasAnyPermission,
+  hasAllPermissions,
+  getPermissions,
+  getRoles,
+  requirePermissions,
+  requireAnyPermission
+};
--- a/server/routes/index.js
+++ b/server/routes/index.js
@@ -4,6 +4,7 @@ const router = express.Router();
 // Import route modules
 const managementRoutes = require('./management');
 const authRoutes = require('./auth');
+const tenantRoutes = require('./tenant');
 const deviceRoutes = require('./device');
 const userRoutes = require('./user');
 const alertRoutes = require('./alert');
@@ -21,6 +22,9 @@ router.use('/management', managementRoutes);
 // Authentication routes (multi-tenant)
 router.use('/auth', authRoutes);

+// Tenant self-management routes
+router.use('/tenant', tenantRoutes);
+
 // API versioning
 router.use('/v1/devices', deviceRoutes);
 router.use('/v1/users', userRoutes);
--- a/server/routes/tenant.js
+++ b/server/routes/tenant.js
@@ -0,0 +1,453 @@
+/**
+ * Tenant Self-Management Routes
+ * Allows tenant admins to manage their own tenant settings
+ */
+
+const express = require('express');
+const router = express.Router();
+const { Tenant, User } = require('../models');
+const { authenticateToken } = require('../middleware/auth');
+const { requirePermissions, requireAnyPermission, hasPermission } = require('../middleware/rbac');
+const MultiTenantAuth = require('../middleware/multi-tenant-auth');
+
+// Initialize multi-tenant auth
+const multiAuth = new MultiTenantAuth();
+
+/**
+ * GET /tenant/info
+ * Get current tenant information
+ */
+router.get('/info', authenticateToken, requirePermissions(['tenant.view']), async (req, res) => {
+  try {
+    // Determine tenant from request
+    const tenantId = await multiAuth.determineTenant(req);
+    if (!tenantId) {
+      return res.status(400).json({
+        success: false,
+        message: 'Unable to determine tenant'
+      });
+    }
+
+    const tenant = await Tenant.findOne({ where: { slug: tenantId } });
+    if (!tenant) {
+      return res.status(404).json({
+        success: false,
+        message: 'Tenant not found'
+      });
+    }
+
+    // Return tenant info (excluding sensitive data)
+    const tenantInfo = {
+      id: tenant.id,
+      name: tenant.name,
+      slug: tenant.slug,
+      domain: tenant.domain,
+      subscription_type: tenant.subscription_type,
+      is_active: tenant.is_active,
+      auth_provider: tenant.auth_provider,
+      branding: tenant.branding,
+      features: tenant.features,
+      admin_email: tenant.admin_email,
+      admin_phone: tenant.admin_phone,
+      billing_email: tenant.billing_email,
+      created_at: tenant.created_at,
+      // IP restriction info (for security admins only)
+      ip_restriction_enabled: hasPermission(req.user.role, 'security.view') ? tenant.ip_restriction_enabled : undefined,
+      ip_whitelist: hasPermission(req.user.role, 'security.view') ? tenant.ip_whitelist : undefined,
+      ip_restriction_message: hasPermission(req.user.role, 'security.view') ? tenant.ip_restriction_message : undefined
+    };
+
+    res.json({
+      success: true,
+      data: tenantInfo
+    });
+
+  } catch (error) {
+    console.error('Error fetching tenant info:', error);
+    res.status(500).json({
+      success: false,
+      message: 'Failed to fetch tenant information'
+    });
+  }
+});
+
+/**
+ * PUT /tenant/branding
+ * Update tenant branding (branding admin or higher)
+ */
+router.put('/branding', authenticateToken, requirePermissions(['branding.edit']), async (req, res) => {
+  try {
+    // Determine tenant from request
+    const tenantId = await multiAuth.determineTenant(req);
+    if (!tenantId) {
+      return res.status(400).json({
+        success: false,
+        message: 'Unable to determine tenant'
+      });
+    }
+
+    const tenant = await Tenant.findOne({ where: { slug: tenantId } });
+    if (!tenant) {
+      return res.status(404).json({
+        success: false,
+        message: 'Tenant not found'
+      });
+    }
+
+    const { logo_url, primary_color, secondary_color, company_name } = req.body;
+
+    // Validate colors
+    const colorRegex = /^#([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/;
+    if (primary_color && !colorRegex.test(primary_color)) {
+      return res.status(400).json({
+        success: false,
+        message: 'Invalid primary color format'
+      });
+    }
+    if (secondary_color && !colorRegex.test(secondary_color)) {
+      return res.status(400).json({
+        success: false,
+        message: 'Invalid secondary color format'
+      });
+    }
+
+    // Update branding
+    const updatedBranding = {
+      ...tenant.branding,
+      logo_url: logo_url || tenant.branding?.logo_url || '',
+      primary_color: primary_color || tenant.branding?.primary_color || '#3B82F6',
+      secondary_color: secondary_color || tenant.branding?.secondary_color || '#1F2937',
+      company_name: company_name || tenant.branding?.company_name || ''
+    };
+
+    await tenant.update({ branding: updatedBranding });
+
+    console.log(`✅ Tenant "${tenantId}" branding updated by user "${req.user.username}"`);
+
+    res.json({
+      success: true,
+      message: 'Branding updated successfully',
+      data: { branding: updatedBranding }
+    });
+
+  } catch (error) {
+    console.error('Error updating tenant branding:', error);
+    res.status(500).json({
+      success: false,
+      message: 'Failed to update branding'
+    });
+  }
+});
+
+/**
+ * PUT /tenant/security
+ * Update tenant security settings (security admin or higher)
+ */
+router.put('/security', authenticateToken, requirePermissions(['security.edit']), async (req, res) => {
+  try {
+    // Determine tenant from request
+    const tenantId = await multiAuth.determineTenant(req);
+    if (!tenantId) {
+      return res.status(400).json({
+        success: false,
+        message: 'Unable to determine tenant'
+      });
+    }
+
+    const tenant = await Tenant.findOne({ where: { slug: tenantId } });
+    if (!tenant) {
+      return res.status(404).json({
+        success: false,
+        message: 'Tenant not found'
+      });
+    }
+
+    const { ip_restriction_enabled, ip_whitelist, ip_restriction_message } = req.body;
+
+    // Validate IP whitelist if provided
+    if (ip_whitelist && Array.isArray(ip_whitelist)) {
+      for (const ip of ip_whitelist) {
+        // Basic IP validation (could be enhanced)
+        if (typeof ip !== 'string' || ip.trim().length === 0) {
+          return res.status(400).json({
+            success: false,
+            message: 'Invalid IP address in whitelist'
+          });
+        }
+      }
+    }
+
+    // Update security settings
+    const updates = {};
+    if (typeof ip_restriction_enabled === 'boolean') {
+      updates.ip_restriction_enabled = ip_restriction_enabled;
+    }
+    if (ip_whitelist) {
+      updates.ip_whitelist = ip_whitelist;
+    }
+    if (ip_restriction_message) {
+      updates.ip_restriction_message = ip_restriction_message;
+    }
+
+    await tenant.update(updates);
+
+    console.log(`✅ Tenant "${tenantId}" security settings updated by user "${req.user.username}"`);
+
+    res.json({
+      success: true,
+      message: 'Security settings updated successfully',
+      data: {
+        ip_restriction_enabled: tenant.ip_restriction_enabled,
+        ip_whitelist: tenant.ip_whitelist,
+        ip_restriction_message: tenant.ip_restriction_message
+      }
+    });
+
+  } catch (error) {
+    console.error('Error updating tenant security:', error);
+    res.status(500).json({
+      success: false,
+      message: 'Failed to update security settings'
+    });
+  }
+});
+
+/**
+ * GET /tenant/users
+ * Get users in current tenant (user admin or higher)
+ */
+router.get('/users', authenticateToken, requirePermissions(['users.view']), async (req, res) => {
+  try {
+    // Determine tenant from request
+    const tenantId = await multiAuth.determineTenant(req);
+    if (!tenantId) {
+      return res.status(400).json({
+        success: false,
+        message: 'Unable to determine tenant'
+      });
+    }
+
+    const tenant = await Tenant.findOne({ where: { slug: tenantId } });
+    if (!tenant) {
+      return res.status(404).json({
+        success: false,
+        message: 'Tenant not found'
+      });
+    }
+
+    // Get users in this tenant
+    const users = await User.findAll({
+      where: { tenant_id: tenant.id },
+      attributes: ['id', 'username', 'email', 'role', 'is_active', 'last_login', 'created_at'],
+      order: [['created_at', 'DESC']]
+    });
+
+    res.json({
+      success: true,
+      data: users
+    });
+
+  } catch (error) {
+    console.error('Error fetching tenant users:', error);
+    res.status(500).json({
+      success: false,
+      message: 'Failed to fetch users'
+    });
+  }
+});
+
+/**
+ * POST /tenant/users
+ * Create a new user in current tenant (user admin or higher, local auth only)
+ */
+router.post('/users', authenticateToken, requirePermissions(['users.create']), async (req, res) => {
+  try {
+    // Determine tenant from request
+    const tenantId = await multiAuth.determineTenant(req);
+    if (!tenantId) {
+      return res.status(400).json({
+        success: false,
+        message: 'Unable to determine tenant'
+      });
+    }
+
+    const tenant = await Tenant.findOne({ where: { slug: tenantId } });
+    if (!tenant) {
+      return res.status(404).json({
+        success: false,
+        message: 'Tenant not found'
+      });
+    }
+
+    // Check if tenant uses local authentication
+    if (tenant.auth_provider !== 'local') {
+      return res.status(400).json({
+        success: false,
+        message: `User creation is only available for local authentication. This tenant uses ${tenant.auth_provider}.`
+      });
+    }
+
+    const { username, email, password, role = 'viewer', is_active = true } = req.body;
+
+    // Validate required fields
+    if (!username || !email || !password) {
+      return res.status(400).json({
+        success: false,
+        message: 'Username, email, and password are required'
+      });
+    }
+
+    // Validate role
+    const validRoles = ['admin', 'operator', 'viewer'];
+    if (!validRoles.includes(role)) {
+      return res.status(400).json({
+        success: false,
+        message: 'Invalid role. Must be admin, operator, or viewer'
+      });
+    }
+
+    // Check if username or email already exists in this tenant
+    const existingUser = await User.findOne({
+      where: {
+        tenant_id: tenant.id,
+        [require('sequelize').Op.or]: [
+          { username },
+          { email }
+        ]
+      }
+    });
+
+    if (existingUser) {
+      return res.status(400).json({
+        success: false,
+        message: 'Username or email already exists in this tenant'
+      });
+    }
+
+    // Create user
+    const user = await User.create({
+      username,
+      email,
+      password_hash: password, // Will be hashed by the model
+      role,
+      is_active,
+      tenant_id: tenant.id,
+      created_by: req.user.id
+    });
+
+    console.log(`✅ User "${username}" created in tenant "${tenantId}" by admin "${req.user.username}"`);
+
+    // Return user data (without password)
+    const userData = {
+      id: user.id,
+      username: user.username,
+      email: user.email,
+      role: user.role,
+      is_active: user.is_active,
+      created_at: user.created_at
+    };
+
+    res.status(201).json({
+      success: true,
+      message: 'User created successfully',
+      data: userData
+    });
+
+  } catch (error) {
+    console.error('Error creating tenant user:', error);
+    res.status(500).json({
+      success: false,
+      message: 'Failed to create user'
+    });
+  }
+});
+
+/**
+ * PUT /tenant/users/:userId/status
+ * Update user status (activate/deactivate) (user admin or higher, local auth only)
+ */
+router.put('/users/:userId/status', authenticateToken, requirePermissions(['users.edit']), async (req, res) => {
+  try {
+    // Determine tenant from request
+    const tenantId = await multiAuth.determineTenant(req);
+    if (!tenantId) {
+      return res.status(400).json({
+        success: false,
+        message: 'Unable to determine tenant'
+      });
+    }
+
+    const tenant = await Tenant.findOne({ where: { slug: tenantId } });
+    if (!tenant) {
+      return res.status(404).json({
+        success: false,
+        message: 'Tenant not found'
+      });
+    }
+
+    // Check if tenant uses local authentication
+    if (tenant.auth_provider !== 'local') {
+      return res.status(400).json({
+        success: false,
+        message: `User management is only available for local authentication. This tenant uses ${tenant.auth_provider}.`
+      });
+    }
+
+    const { userId } = req.params;
+    const { is_active } = req.body;
+
+    if (typeof is_active !== 'boolean') {
+      return res.status(400).json({
+        success: false,
+        message: 'is_active must be a boolean value'
+      });
+    }
+
+    // Find user in this tenant
+    const user = await User.findOne({
+      where: {
+        id: userId,
+        tenant_id: tenant.id
+      }
+    });
+
+    if (!user) {
+      return res.status(404).json({
+        success: false,
+        message: 'User not found in this tenant'
+      });
+    }
+
+    // Prevent self-deactivation
+    if (user.id === req.user.id && !is_active) {
+      return res.status(400).json({
+        success: false,
+        message: 'You cannot deactivate your own account'
+      });
+    }
+
+    // Update user status
+    await user.update({ is_active });
+
+    console.log(`✅ User "${user.username}" ${is_active ? 'activated' : 'deactivated'} in tenant "${tenantId}" by admin "${req.user.username}"`);
+
+    res.json({
+      success: true,
+      message: `User ${is_active ? 'activated' : 'deactivated'} successfully`,
+      data: {
+        id: user.id,
+        username: user.username,
+        is_active: user.is_active
+      }
+    });
+
+  } catch (error) {
+    console.error('Error updating user status:', error);
+    res.status(500).json({
+      success: false,
+      message: 'Failed to update user status'
+    });
+  }
+});
+
+module.exports = router;
--- a/server/test-rbac.js
+++ b/server/test-rbac.js
@@ -0,0 +1,131 @@
+/**
+ * Test script to verify RBAC system functionality
+ */
+
+const { hasPermission, ROLES, PERMISSIONS } = require('./middleware/rbac');
+
+// Mock users with different roles
+const users = {
+  admin: {
+    id: 1,
+    username: 'super_admin',
+    role: 'admin'
+  },
+  user_admin: {
+    id: 2,
+    username: 'user_manager',
+    role: 'user_admin'
+  },
+  security_admin: {
+    id: 3,
+    username: 'security_manager',
+    role: 'security_admin'
+  },
+  branding_admin: {
+    id: 4,
+    username: 'branding_manager',
+    role: 'branding_admin'
+  },
+  operator: {
+    id: 5,
+    username: 'basic_operator',
+    role: 'operator'
+  },
+  viewer: {
+    id: 6,
+    username: 'read_only',
+    role: 'viewer'
+  }
+};
+
+// Test scenarios
+const testScenarios = [
+  {
+    name: 'Admin - Full Access',
+    user: users.admin,
+    permissions: ['tenant.view', 'tenant.edit', 'branding.edit', 'security.edit', 'users.create', 'users.edit', 'users.delete'],
+    expectedResults: [true, true, true, true, true, true, true]
+  },
+  {
+    name: 'User Admin - User Management Only',
+    user: users.user_admin,
+    permissions: ['tenant.view', 'tenant.edit', 'branding.edit', 'security.edit', 'users.create', 'users.edit', 'users.delete'],
+    expectedResults: [true, false, false, false, true, true, true]
+  },
+  {
+    name: 'Security Admin - Security Only',
+    user: users.security_admin,
+    permissions: ['tenant.view', 'tenant.edit', 'branding.edit', 'security.edit', 'users.create', 'users.edit', 'users.delete'],
+    expectedResults: [true, false, false, true, false, false, false]
+  },
+  {
+    name: 'Branding Admin - Branding Only',
+    user: users.branding_admin,
+    permissions: ['tenant.view', 'tenant.edit', 'branding.edit', 'security.edit', 'users.create', 'users.edit', 'users.delete'],
+    expectedResults: [true, false, true, false, false, false, false]
+  },
+  {
+    name: 'Operator - Limited Access',
+    user: users.operator,
+    permissions: ['tenant.view', 'tenant.edit', 'branding.edit', 'security.edit', 'users.create', 'users.edit', 'users.delete'],
+    expectedResults: [true, false, false, false, false, false, false]
+  },
+  {
+    name: 'Viewer - Read Only',
+    user: users.viewer,
+    permissions: ['tenant.view', 'tenant.edit', 'branding.edit', 'security.edit', 'users.create', 'users.edit', 'users.delete'],
+    expectedResults: [true, false, false, false, false, false, false]
+  }
+];
+
+console.log('🧪 Testing RBAC System\n');
+
+// Display available roles and permissions
+console.log('📋 Available Roles:');
+Object.keys(ROLES).forEach(role => {
+  console.log(`  ${role}: ${ROLES[role].join(', ')}`);
+});
+
+console.log('\n📋 Available Permissions:');
+Object.keys(PERMISSIONS).forEach(category => {
+  console.log(`  ${category}:`);
+  PERMISSIONS[category].forEach(permission => {
+    console.log(`    - ${permission}`);
+  });
+});
+
+console.log('\n🔍 Running Permission Tests:\n');
+
+// Run tests
+let totalTests = 0;
+let passedTests = 0;
+
+testScenarios.forEach(scenario => {
+  console.log(`\n👤 ${scenario.name} (${scenario.user.username})`);
+  console.log('─'.repeat(50));
+  
+  scenario.permissions.forEach((permission, index) => {
+    totalTests++;
+    const result = hasPermission(scenario.user, permission);
+    const expected = scenario.expectedResults[index];
+    const passed = result === expected;
+    
+    if (passed) passedTests++;
+    
+    const status = passed ? '✅' : '❌';
+    const expectedText = expected ? 'ALLOW' : 'DENY';
+    const actualText = result ? 'ALLOW' : 'DENY';
+    
+    console.log(`  ${status} ${permission}: Expected ${expectedText}, Got ${actualText}`);
+  });
+});
+
+console.log('\n📊 Test Results:');
+console.log(`  Passed: ${passedTests}/${totalTests}`);
+console.log(`  Success Rate: ${Math.round((passedTests/totalTests) * 100)}%`);
+
+if (passedTests === totalTests) {
+  console.log('\n🎉 All tests passed! RBAC system is working correctly.');
+} else {
+  console.log('\n⚠️  Some tests failed. Please check the RBAC configuration.');
+}