External repository catalog and user access management

.env.example

@@ -125,6 +125,9 @@ REDIS_PORT=6379
 REDIS_HOST=localhost
 REDIS_PASSWORD=
 
+# External repository access management
+EXTERNAL_ACCESS_MANAGEMENT=false
+
 # Cypress
 CYPRESS_USERNAME=admin1@example.com
 CYPRESS_PASSWORD=admin123.

client/components/catalog/Card/Tags/index.vue

@@ -2,19 +2,23 @@
   <div class="tags-container">
     <div class="tag-list d-flex align-center">
       <v-chip
-        v-for="{ id, name, truncatedName } in tags"
+        v-for="{ id, name, isAccessTag, truncatedName } in tags"
         :key="id"
         @click:close="showDeleteConfirmation(id, name)"
-        color="primary darken-1"
+        :close="!isAccessTag"
+        :color="isAccessTag ? 'secondary darken-1' : 'primary darken-1'"
         close-label="Remove tag"
-        label close small
+        label small
         class="mr-2 mb-1">
         <v-tooltip
           :disabled="name.length === truncatedName.length"
           open-delay="100"
           bottom>
           <template #activator="{ on }">
-            <span v-on="on">{{ truncatedName }}</span>
+            <span v-on="on" class="d-flex">
+              <v-icon size="18" class="pr-2">mdi-account-supervisor</v-icon>
+              {{ truncatedName }}
+            </span>
           </template>
           <span>{{ name }}</span>
         </v-tooltip>

client/components/catalog/Container.vue

@@ -84,6 +84,7 @@ export default {
   name: 'catalog-container',
   data: () => ({ loading: true }),
   computed: {
+    isExternalAccessManagement: () => process.env.EXTERNAL_ACCESS_MANAGEMENT,
     ...mapState('repositories', {
       sortBy: state => state.$internals.sort,
       repositoryFilter: 'repositoryFilter',
@@ -153,6 +154,9 @@ export default {
     }
   },
   created() {
+    if (this.isExternalAccessManagement) {
+      this.$router.go(-1);
+    }
     // repositories must be reloaded for publishing badge to work properly
     // reset state manually to trigger "infinite" event in all cases
     this.resetPagination();

client/components/common/Navbar.vue

@@ -63,11 +63,13 @@ export default {
     ...mapGetters('repository', ['repository']),
     title: () => BRAND_CONFIG.TITLE,
     logo: () => BRAND_CONFIG.LOGO_FULL,
+    isExternalAccessManagement: () => process.env.EXTERNAL_ACCESS_MANAGEMENT,
     routes() {
       const items = [
         { name: 'Catalog', to: { name: 'catalog' } },
         { name: 'Admin', to: { name: 'system-user-management' } }
       ];
+      if (this.isExternalAccessManagement) items.shift();
       if (!this.isAdmin) items.pop();
       if (this.repository) {
         items.unshift({

client/components/repository/Settings/Sidebar.vue

@@ -43,20 +43,29 @@
 export default {
   name: 'repository-settings-sidebar',
   computed: {
+    isExternalAccessManagement: () => process.env.EXTERNAL_ACCESS_MANAGEMENT,
     routes() {
       const { query } = this.$route;
-      return [
+      const entries = [
         { label: 'General', name: 'repository-info', icon: 'wrench' },
         { label: 'People', name: 'user-management', icon: 'account' }
       ].map(route => ({ ...route, query }));
+      if (this.isExternalAccessManagement) entries.pop();
+      return entries;
     },
     actions() {
-      return [
-        { label: 'Clone', icon: 'content-copy', name: 'clone' },
+      const defaultEntries = [
         { label: 'Publish', icon: 'upload', name: 'publish' },
         { label: 'Export', icon: 'export', name: 'export' },
         { label: 'Delete', icon: 'delete', name: 'delete', color: 'error' }
       ];
+      const conditionalEntries = this.isExternalAccessManagement
+        ? []
+        : [{ label: 'Clone', icon: 'content-copy', name: 'clone' }];
+      return [
+        ...defaultEntries,
+        ...conditionalEntries
+      ];
     }
   }
 };

client/components/repository/Settings/UserManagement/index.vue

@@ -18,8 +18,12 @@ import UserList from './UserList.vue';
 export default {
   name: 'repository-user-management',
   computed: {
+    isExternalAccessManagement: () => process.env.EXTERNAL_ACCESS_MANAGEMENT,
     roles: () => map(role.repository, value => ({ text: titleCase(value), value }))
   },
+  created() {
+    if (this.isExternalAccessManagement) this.$router.go(-1);
+  },
   components: {
     AddUserDialog,
     UserList

client/components/system-settings/Sidebar.vue

@@ -20,12 +20,15 @@
 export default {
   name: 'system-settings-sidebar',
   computed: {
+    isExternalAccessManagement: () => process.env.EXTERNAL_ACCESS_MANAGEMENT,
     routes() {
-      return [
+      const items = [
         { label: 'System Users', name: 'system-user-management', icon: 'account' },
         { label: 'Structure Types', name: 'installed-schemas', icon: 'file-tree' },
         { label: 'Installed Elements', name: 'installed-elements', icon: 'puzzle' }
       ];
+      if (this.isExternalAccessManagement) items.shift();
+      return items;
     }
   }
 };

client/components/system-settings/UserManagement/index.vue

@@ -123,6 +123,7 @@ export default {
   },
   computed: {
     ...mapState({ user: state => state.auth.user }),
+    isExternalAccessManagement: () => process.env.EXTERNAL_ACCESS_MANAGEMENT,
     headers,
     defaultPage
   },
@@ -166,6 +167,9 @@ export default {
       this.fetch();
     }
   },
+  created() {
+    if (this.isExternalAccessManagement) this.$router.go(-1);
+  },
   components: { UserDialog }
 };
 </script>

config/server/index.js

@@ -6,12 +6,14 @@ import * as store from './store.js';
 import * as tce from './tce.js';
 import isLocalhost from 'is-localhost';
 import parse from 'url-parse';
+import yn from 'yn';
 
 const hostname = resolveHostname();
 const protocol = resolveProtocol(hostname);
 const port = resolvePort();
 const origin = resolveOrigin(hostname, protocol, port);
 const previewUrl = process.env.PREVIEW_URL;
+const isExternalAccessManagement = yn(process.env.EXTERNAL_ACCESS_MANAGEMENT);
 
 // Legacy config support
 function resolveHostname() {
@@ -54,7 +56,8 @@ export {
   previewUrl,
   consumer,
   store,
-  tce
+  tce,
+  isExternalAccessManagement
 };
 
 export default {
@@ -68,5 +71,6 @@ export default {
   previewUrl,
   consumer,
   store,
-  tce
+  tce,
+  isExternalAccessManagement
 };

config/shared/role.js

@@ -1,7 +1,7 @@
 import values from 'lodash/values.js';
 
 const role = {
-  user: { USER: 'USER', ADMIN: 'ADMIN' },
+  user: { USER: 'USER', ADMIN: 'ADMIN', INTEGRATION: 'INTEGRATION' },
   repository: { ADMIN: 'ADMIN', AUTHOR: 'AUTHOR' }
 };
 

server/repository/index.js

@@ -1,43 +1,50 @@
+import { authorize, authorizeIntegration } from '../shared/auth/mw.js';
 import { NOT_FOUND, UNAUTHORIZED } from 'http-status-codes';
-import { authorize } from '../shared/auth/mw.js';
 import { createError } from '../shared/error/helpers.js';
 import ctrl from './repository.controller.js';
 import db from '../shared/database/index.js';
 import express from 'express';
 import feed from './feed/index.js';
+import { isExternalAccessManagement } from '../../config/server/index.js';
 import multer from 'multer';
 import path from 'node:path';
 import processQuery from '../shared/util/processListQuery.js';
 import proxy from './proxy.js';
 import proxyMw from '../shared/storage/proxy/mw.js';
+import roleConfig from '../../config/shared/role.js';
 import storage from './storage.js';
 
 /* eslint-disable */
 import activity from '../activity/index.js';
 import comment from '../comment/index.js';
 import revision from '../revision/index.js';
 import contentElement from '../content-element/index.js';
+const { user: role } = roleConfig;
 import storageRouter from '../shared/storage/storage.router.js';
 /* eslint-enable */
 
-const { Repository } = db;
+const { Repository, Tag } = db;
 const router = express.Router();
 const { setSignedCookies } = proxyMw(storage, proxy);
 
+const authorizeUser = isExternalAccessManagement
+  ? authorizeIntegration
+  : authorize();
+
 // NOTE: disk storage engine expects an object to be passed as the first argument
 // https://github.com/expressjs/multer/blob/6b5fff5/storage/disk.js#L17-L18
 const upload = multer({ storage: multer.diskStorage({}) });
 
 router
-  .post('/import', authorize(), upload.single('archive'), ctrl.import);
+  .post('/import', authorizeUser, upload.single('archive'), ctrl.import);
 
 router
   .param('repositoryId', getRepository)
   .use('/:repositoryId', hasAccess, setSignedCookies);
 
 router.route('/')
   .get(processQuery({ limit: 100 }), ctrl.index)
-  .post(authorize(), ctrl.create);
+  .post(authorizeUser, ctrl.create);
 
 router.route('/:repositoryId')
   .get(ctrl.get)
@@ -46,15 +53,15 @@ router.route('/:repositoryId')
 
 router
   .post('/:repositoryId/pin', ctrl.pin)
-  .post('/:repositoryId/clone', authorize(), ctrl.clone)
+  .post('/:repositoryId/clone', authorizeUser, ctrl.clone)
   .post('/:repositoryId/publish', ctrl.publishRepoInfo)
   .get('/:repositoryId/users', ctrl.getUsers)
   .get('/:repositoryId/export/setup', ctrl.initiateExportJob)
   .post('/:repositoryId/export/:jobId', ctrl.export)
-  .post('/:repositoryId/users', ctrl.upsertUser)
-  .delete('/:repositoryId/users/:userId', ctrl.removeUser)
-  .post('/:repositoryId/tags', ctrl.addTag)
-  .delete('/:repositoryId/tags/:tagId', ctrl.removeTag);
+  .post('/:repositoryId/users', authorizeUser, ctrl.upsertUser)
+  .delete('/:repositoryId/users/:userId', authorizeUser, ctrl.removeUser)
+  .post('/:repositoryId/tags', authorizeUser, ctrl.addTag)
+  .delete('/:repositoryId/tags/:tagId', authorizeUser, ctrl.removeTag);
 
 mount(router, '/:repositoryId', feed);
 mount(router, '/:repositoryId', activity);
@@ -68,7 +75,8 @@ function mount(router, mountPath, subrouter) {
 }
 
 function getRepository(req, _res, next, repositoryId) {
-  return Repository.findByPk(repositoryId, { paranoid: false })
+  return Repository
+    .findByPk(repositoryId, { include: [{ model: Tag }], paranoid: false })
     .then(repository => repository || createError(NOT_FOUND, 'Repository not found'))
     .then(repository => {
       req.repository = repository;
@@ -79,6 +87,13 @@ function getRepository(req, _res, next, repositoryId) {
 function hasAccess(req, _res, next) {
   const { user, repository } = req;
   if (user.isAdmin()) return next();
+  const repositoryTagIds = repository.tags
+    ?.filter(it => it.isAccessTag)
+    .map(it => it.id);
+  if (repositoryTagIds.length && user.isAssociatedWithSomeTag(repositoryTagIds)) {
+    req.repositoryRole = role.ADMIN;
+    return next();
+  }
   return repository.getUser(user)
     .then(user => user || createError(UNAUTHORIZED, 'Access restricted'))
     .then(user => {

server/repository/repository.controller.js

@@ -1,6 +1,7 @@
 import * as fs from 'node:fs';
 import * as fsp from 'node:fs/promises';
-import { NO_CONTENT, NOT_FOUND } from 'http-status-codes';
+import { FORBIDDEN, NO_CONTENT, NOT_FOUND } from 'http-status-codes';
+import { repository as role, user as userRole } from '../../config/shared/role.js';
 import { createError } from '../shared/error/helpers.js';
 import db from '../shared/database/index.js';
 import getVal from 'lodash/get.js';
@@ -9,7 +10,6 @@ import { Op } from 'sequelize';
 import pick from 'lodash/pick.js';
 import Promise from 'bluebird';
 import publishingService from '../shared/publishing/publishing.service.js';
-import { repository as role } from '../../config/shared/role.js';
 import sample from 'lodash/sample.js';
 import { schema } from '../../config/shared/tailor.loader.js';
 import { snakeCase } from 'change-case';
@@ -171,15 +171,27 @@ function findOrCreateRole(repository, user, role) {
   .then(() => user);
 }
 
-function addTag({ body: { name }, repository }, res) {
+function addTag(
+  {
+    body: { name, isAccessTag = false },
+    user,
+    repository
+  },
+  res
+) {
   return sequelize.transaction(async transaction => {
-    const [tag] = await Tag.findOrCreate({ where: { name }, transaction });
+    const tag = await Tag.fetchOrCreate({ user, name, isAccessTag, transaction });
     await repository.addTags([tag], { transaction });
     return res.json({ data: tag });
   });
 }
 
-async function removeTag({ params: { tagId, repositoryId } }, res) {
+async function removeTag({ user, params: { tagId, repositoryId } }, res) {
+  const tag = await Tag.findByPk(tagId);
+  if (!tag) return createError(NOT_FOUND, 'Tag not found');
+  if (tag.isAccessTag && user.role !== userRole.INTEGRATION) {
+    return createError(FORBIDDEN, 'Can be removed only by integration users');
+  }
   const where = { tagId, repositoryId };
   await RepositoryTag.destroy({ where });
   return res.status(NO_CONTENT).send();
@@ -222,8 +234,8 @@ function importRepository({ body, file, user }, res) {
   return TransferService
     .createImportJob(path, options)
     .toPromise()
-    .finally(() => {
-      fs.unlink(path);
+    .finally(async () => {
+      await fsp.unlink(path);
       res.end();
     });
 }

server/shared/auth/index.js

@@ -16,7 +16,9 @@ const options = {
 };
 
 auth.use(new LocalStrategy(options, (email, password, done) => {
-  return User.unscoped().findOne({ where: { email } })
+  return User
+    .unscoped()
+    .findOne({ where: { email } })
     .then(user => user && user.authenticate(password))
     .then(user => done(null, user || false))
     .error(err => done(err, false));
@@ -27,7 +29,8 @@ auth.use(new JwtStrategy({
   audience: Audience.Scope.Access,
   jwtFromRequest: ExtractJwt.fromExtractors([
     extractJwtFromCookie,
-    ExtractJwt.fromBodyField('token')
+    ExtractJwt.fromBodyField('token'),
+    ExtractJwt.fromHeader('access_token')
   ]),
   secretOrKey: config.jwt.secret
 }, verifyJWT));
@@ -50,7 +53,7 @@ auth.deserializeUser((user, done) => done(null, user));
 export default auth;
 
 function verifyJWT(payload, done) {
-  return User.unscoped().findByPk(payload.id)
+  return User.unscoped().findByPk(payload.id, { include: ['userTags'] })
     .then(user => done(null, user || false))
     .error(err => done(err, false));
 }