Skip to content
Snippets Groups Projects
Normal view Permalink
request-processor.helper.js 2.81 KiB
Newer Older
  • Learn to ignore specific revisions
    • FORESTIER Fabien's avatar
    This proxy now has twho root routes /map and /download
    FORESTIER Fabien committed
    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 
    const getDatasetInfoFromES = require('./elasticsearch.helpers.js').getDatasetInfoFromES;
const validateUserAccesses = require('./userAccesses.helpers.js').validateUserAccesses;
const getRedisValue = require('../helpers/redis.helpers.js').getRedisValue;
const setRedisValue = require('../helpers/redis.helpers.js').setRedisValue;

module.exports.requestProcessor = async (req, res, layer, service, pathToFile) => {
    const source = await getDatasetInfoFromES(
      req.app.locals.config.elasticsearchUrl,
      layer,
      [
        "editorial-metadata.isOpenAccess"
      ],
      req.headers.cookie,
      pathToFile
    );

    // If dataset is open access proxy the request without adding the technical account credentials
    if (source['editorial-metadata'].isOpenAccess) {
      req.app.locals.proxies.unauthenticated.web(req, res, {});
      return;
    }

    // If it is a restricted access layer and the user isn't authenticated then directly send a 401 error 
    if (!source['editorial-metadata'].isOpenAccess && req.headers['x-anonymous-consumer']) {
      throw {
        status: 401,
        message: "Unauthenticated, you need to be authenticated to access this resource."
      }
    }

    // Look for an existing value of the user rights for the layer in redis
    let userAccesses = await getRedisValue(req.app.locals.config.redisSentinelHost, req.app.locals.config.redisSentinelPort, req.app.locals.config.redisGroupName, `download-${layer}-${service}-${req.headers['x-consumer-username']}`);

    // If value found and true, proxy the request adding the technical account credentials
    if (userAccesses === 'true') {
      req.app.locals.proxies.authenticated.web(req, res, {});
      return;
    }

    // If value found and false, directly send a 403 forbidden error
    if (userAccesses === 'false') {
      throw {
        status: 403,
        message: "Forbidden access."
      }
    }

    // If no pre-existing value for that user, layer and service triple then check the user rights
    userAccesses = await validateUserAccesses(req.app.locals.config.legacyAuthMiddlewareUrl, req.headers, `${req.params.repo}/${layer}`, service);

    if(!userAccesses) {
      await setRedisValue(req.app.locals.config.redisSentinelHost, req.app.locals.config.redisSentinelPort, req.app.locals.config.redisGroupName, `download-${layer}-${service}-${req.headers['x-consumer-username']}`, false, req.app.locals.config.redisUnauthorizedTTL);
      throw {
        status: 403,
        message: "Forbidden access."
      }
    }

    await setRedisValue(req.app.locals.config.redisSentinelHost, req.app.locals.config.redisSentinelPort, req.app.locals.config.redisGroupName, `download-${layer}-${service}-${req.headers['x-consumer-username']}`, true, req.app.locals.config.redisAuthorizedTTL);
    req.app.locals.proxies.authenticated.web(req, res, {});
    return;
}