From f3bcc9365cd6f08b0a32c132e8e5ff6d1b650863 Mon Sep 17 00:00:00 2001 From: Daniel Date: Mon, 9 Jan 2023 08:02:12 +1100 Subject: [PATCH] feat: Access the internal scope of Parse Server using the new `maintenanceKey`; the internal scope contains unofficial and undocumented fields (prefixed with underscore `_`) which are used internally by Parse Server; you may want to manipulate these fields for out-of-band changes such as data migration or correction tasks; changes within the internal scope of Parse Server may happen at any time without notice or changelog entry, it is therefore recommended to look at the source code of Parse Server to understand the effects of manipulating internal fields before using the key; it is discouraged to use the `maintenanceKey` for routine operations in a production environment; see [access scopes](https://github.com/parse-community/parse-server#access-scopes) (#8212) BREAKING CHANGE: Fields in the internal scope of Parse Server (prefixed with underscore `_`) are only returned using the new `maintenanceKey`; previously the `masterKey` allowed reading of internal fields; see [access scopes](https://github.com/parse-community/parse-server#access-scopes) for a comparison of the keys' access permissions (#8212) --- README.md | 10 +++ spec/EmailVerificationToken.spec.js | 22 +++-- spec/Middlewares.spec.js | 16 ++++ spec/ParseLiveQuery.spec.js | 13 ++- spec/ParseUser.spec.js | 124 ++++++++++++++++++++++---- spec/PasswordPolicy.spec.js | 30 +++++-- spec/RegexVulnerabilities.spec.js | 30 +++++-- spec/helper.js | 1 - spec/rest.spec.js | 9 ++ src/Auth.js | 13 ++- src/Config.js | 13 ++- src/Controllers/DatabaseController.js | 56 +++++++----- src/Controllers/SchemaController.js | 13 ++- src/Controllers/UserController.js | 19 ++-- src/LiveQuery/ParseLiveQueryServer.js | 1 + src/Options/Definitions.js | 15 +++- src/Options/docs.js | 4 +- src/Options/index.js | 7 +- src/ParseServer.js | 4 - src/RestWrite.js | 31 ++++--- src/Routers/UsersRouter.js | 2 +- src/middlewares.js | 19 ++++ src/rest.js | 21 +++-- 23 files changed, 371 insertions(+), 102 deletions(-) diff --git a/README.md b/README.md index 8c5c5d818c..634a7b25e0 100644 --- a/README.md +++ b/README.md @@ -60,6 +60,7 @@ A big *thank you* 🙏 to our [sponsors](#sponsors) and [backers](#backers) who - [Configuration](#configuration) - [Basic Options](#basic-options) - [Client Key Options](#client-key-options) + - [Access Scopes](#access-scopes) - [Email Verification and Password Reset](#email-verification-and-password-reset) - [Password and Account Policy](#password-and-account-policy) - [Custom Routes](#custom-routes) @@ -357,6 +358,15 @@ The client keys used with Parse are no longer necessary with Parse Server. If yo * `restAPIKey` * `dotNetKey` +## Access Scopes + +| Scope | Internal data | Custom data | Restricted by CLP, ACL | Key | +|----------------|---------------|-------------|------------------------|---------------------| +| Internal | r/w | r/w | no | `maintenanceKey` | +| Master | -/- | r/w | no | `masterKey` | +| ReadOnlyMaster | -/- | r/- | no | `readOnlyMasterKey` | +| Session | -/- | r/w | yes | `sessionToken` | + ## Email Verification and Password Reset Verifying user email addresses and enabling password reset via email requires an email adapter. There are many email adapters provided and maintained by the community. The following is an example configuration with an example email adapter. See the [Parse Server Options](https://parseplatform.org/parse-server/api/master/ParseServerOptions.html) for more details and a full list of available options. diff --git a/spec/EmailVerificationToken.spec.js b/spec/EmailVerificationToken.spec.js index 50b626de0d..e21a049719 100644 --- a/spec/EmailVerificationToken.spec.js +++ b/spec/EmailVerificationToken.spec.js @@ -1,5 +1,6 @@ 'use strict'; +const Auth = require('../lib/Auth'); const Config = require('../lib/Config'); const request = require('../lib/request'); @@ -262,9 +263,14 @@ describe('Email Verification Token Expiration: ', () => { }) .then(() => { const config = Config.get('test'); - return config.database.find('_User', { - username: 'sets_email_verify_token_expires_at', - }); + return config.database.find( + '_User', + { + username: 'sets_email_verify_token_expires_at', + }, + {}, + Auth.maintenance(config) + ); }) .then(results => { expect(results.length).toBe(1); @@ -499,7 +505,12 @@ describe('Email Verification Token Expiration: ', () => { .then(() => { const config = Config.get('test'); return config.database - .find('_User', { username: 'newEmailVerifyTokenOnEmailReset' }) + .find( + '_User', + { username: 'newEmailVerifyTokenOnEmailReset' }, + {}, + Auth.maintenance(config) + ) .then(results => { return results[0]; }); @@ -582,7 +593,7 @@ describe('Email Verification Token Expiration: ', () => { // query for this user again const config = Config.get('test'); return config.database - .find('_User', { username: 'resends_verification_token' }) + .find('_User', { username: 'resends_verification_token' }, {}, Auth.maintenance(config)) .then(results => { return results[0]; }); @@ -599,6 +610,7 @@ describe('Email Verification Token Expiration: ', () => { done(); }) .catch(error => { + console.log(error); jfail(error); done(); }); diff --git a/spec/Middlewares.spec.js b/spec/Middlewares.spec.js index c1544c311a..12bfc59bf7 100644 --- a/spec/Middlewares.spec.js +++ b/spec/Middlewares.spec.js @@ -162,6 +162,22 @@ describe('middlewares', () => { expect(fakeReq.auth.isMaster).toBe(false); }); + it('should not succeed if the ip does not belong to maintenanceKeyIps list', async () => { + const logger = require('../lib/logger').logger; + spyOn(logger, 'error').and.callFake(() => {}); + AppCache.put(fakeReq.body._ApplicationId, { + maintenanceKey: 'masterKey', + maintenanceKeyIps: ['10.0.0.0', '10.0.0.1'], + }); + fakeReq.ip = '10.0.0.2'; + fakeReq.headers['x-parse-maintenance-key'] = 'masterKey'; + await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve)); + expect(fakeReq.auth.isMaintenance).toBe(false); + expect(logger.error).toHaveBeenCalledWith( + `Request using maintenance key rejected as the request IP address '10.0.0.2' is not set in Parse Server option 'maintenanceKeyIps'.` + ); + }); + it('should succeed if the ip does belong to masterKeyIps list', async () => { AppCache.put(fakeReq.body._ApplicationId, { masterKey: 'masterKey', diff --git a/spec/ParseLiveQuery.spec.js b/spec/ParseLiveQuery.spec.js index cc96862350..e2a5f68d3b 100644 --- a/spec/ParseLiveQuery.spec.js +++ b/spec/ParseLiveQuery.spec.js @@ -1,4 +1,5 @@ 'use strict'; +const Auth = require('../lib/Auth'); const UserController = require('../lib/Controllers/UserController').UserController; const Config = require('../lib/Config'); const validatorFail = () => { @@ -977,6 +978,7 @@ describe('ParseLiveQuery', function () { }; await reconfigureServer({ + maintenanceKey: 'test2', liveQuery: { classNames: [Parse.User], }, @@ -998,9 +1000,14 @@ describe('ParseLiveQuery', function () { .signUp() .then(() => { const config = Config.get('test'); - return config.database.find('_User', { - username: 'zxcv', - }); + return config.database.find( + '_User', + { + username: 'zxcv', + }, + {}, + Auth.maintenance(config) + ); }) .then(async results => { const foundUser = results[0]; diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js index ed1390d5b8..4d3beaf349 100644 --- a/spec/ParseUser.spec.js +++ b/spec/ParseUser.spec.js @@ -3522,40 +3522,128 @@ describe('Parse.User testing', () => { }); }); - it('should not allow updates to hidden fields', done => { + it('should not allow updates to hidden fields', async () => { const emailAdapter = { sendVerificationEmail: () => {}, sendPasswordResetEmail: () => Promise.resolve(), sendMail: () => Promise.resolve(), }; - const user = new Parse.User(); user.set({ username: 'hello', password: 'world', email: 'test@email.com', }); + await reconfigureServer({ + appName: 'unused', + verifyUserEmails: true, + emailAdapter: emailAdapter, + publicServerURL: 'http://localhost:8378/1', + }); + await user.signUp(); + user.set('_email_verify_token', 'bad', { ignoreValidation: true }); + await expectAsync(user.save()).toBeRejectedWith( + new Parse.Error(Parse.Error.INVALID_KEY_NAME, 'Invalid field name: _email_verify_token.') + ); + }); - reconfigureServer({ + it('should allow updates to fields with maintenanceKey', async () => { + const emailAdapter = { + sendVerificationEmail: () => {}, + sendPasswordResetEmail: () => Promise.resolve(), + sendMail: () => Promise.resolve(), + }; + const user = new Parse.User(); + user.set({ + username: 'hello', + password: 'world', + email: 'test@example.com', + }); + await reconfigureServer({ appName: 'unused', + maintenanceKey: 'test2', verifyUserEmails: true, + emailVerifyTokenValidityDuration: 5, + accountLockout: { + duration: 1, + threshold: 1, + }, emailAdapter: emailAdapter, publicServerURL: 'http://localhost:8378/1', - }) - .then(() => { - return user.signUp(); - }) - .then(() => { - return Parse.User.current().set('_email_verify_token', 'bad').save(); - }) - .then(() => { - fail('Should not be able to update email verification token'); - done(); - }) - .catch(err => { - expect(err).toBeDefined(); - done(); - }); + }); + await user.signUp(); + for (let i = 0; i < 2; i++) { + try { + await Parse.User.logIn(user.getEmail(), 'abc'); + } catch (e) { + expect(e.code).toBe(Parse.Error.OBJECT_NOT_FOUND); + expect( + e.message === 'Invalid username/password.' || + e.message === + 'Your account is locked due to multiple failed login attempts. Please try again after 1 minute(s)' + ).toBeTrue(); + } + } + await Parse.User.requestPasswordReset(user.getEmail()); + const headers = { + 'X-Parse-Application-Id': 'test', + 'X-Parse-Rest-API-Key': 'rest', + 'X-Parse-Maintenance-Key': 'test2', + 'Content-Type': 'application/json', + }; + const userMaster = await request({ + method: 'GET', + url: `http://localhost:8378/1/classes/_User`, + json: true, + headers, + }).then(res => res.data.results[0]); + expect(Object.keys(userMaster).sort()).toEqual( + [ + 'ACL', + '_account_lockout_expires_at', + '_email_verify_token', + '_email_verify_token_expires_at', + '_failed_login_count', + '_perishable_token', + 'createdAt', + 'email', + 'emailVerified', + 'objectId', + 'updatedAt', + 'username', + ].sort() + ); + const toSet = { + _account_lockout_expires_at: new Date(), + _email_verify_token: 'abc', + _email_verify_token_expires_at: new Date(), + _failed_login_count: 0, + _perishable_token_expires_at: new Date(), + _perishable_token: 'abc', + }; + await request({ + method: 'PUT', + headers, + url: Parse.serverURL + '/users/' + userMaster.objectId, + json: true, + body: toSet, + }).then(res => res.data); + const update = await request({ + method: 'GET', + url: `http://localhost:8378/1/classes/_User`, + json: true, + headers, + }).then(res => res.data.results[0]); + for (const key in toSet) { + const value = toSet[key]; + if (update[key] && update[key].iso) { + expect(update[key].iso).toEqual(value.toISOString()); + } else if (value.toISOString) { + expect(update[key]).toEqual(value.toISOString()); + } else { + expect(update[key]).toEqual(value); + } + } }); it('should revoke sessions when setting paswword with masterKey (#3289)', done => { diff --git a/spec/PasswordPolicy.spec.js b/spec/PasswordPolicy.spec.js index 6d00ddfa28..4ea6ed2002 100644 --- a/spec/PasswordPolicy.spec.js +++ b/spec/PasswordPolicy.spec.js @@ -1677,12 +1677,19 @@ describe('Password Policy: ', () => { }); it('should not infinitely loop if maxPasswordHistory is 1 (#4918)', async () => { + const headers = { + 'X-Parse-Application-Id': 'test', + 'X-Parse-Rest-API-Key': 'test', + 'X-Parse-Maintenance-Key': 'test2', + 'Content-Type': 'application/json', + }; const user = new Parse.User(); const query = new Parse.Query(Parse.User); await reconfigureServer({ appName: 'passwordPolicy', verifyUserEmails: false, + maintenanceKey: 'test2', passwordPolicy: { maxPasswordHistory: 1, }, @@ -1696,15 +1703,28 @@ describe('Password Policy: ', () => { user.setPassword('user2'); await user.save(); - const result1 = await query.get(user.id, { useMasterKey: true }); - expect(result1.get('_password_history').length).toBe(1); + const user1 = await query.get(user.id, { useMasterKey: true }); + expect(user1.get('_password_history')).toBeUndefined(); + + const result1 = await request({ + method: 'GET', + url: `http://localhost:8378/1/classes/_User/${user.id}`, + json: true, + headers, + }).then(res => res.data); + expect(result1._password_history.length).toBe(1); user.setPassword('user3'); await user.save(); - const result2 = await query.get(user.id, { useMasterKey: true }); - expect(result2.get('_password_history').length).toBe(1); + const result2 = await request({ + method: 'GET', + url: `http://localhost:8378/1/classes/_User/${user.id}`, + json: true, + headers, + }).then(res => res.data); + expect(result2._password_history.length).toBe(1); - expect(result1.get('_password_history')).not.toEqual(result2.get('_password_history')); + expect(result1._password_history).not.toEqual(result2._password_history); }); }); diff --git a/spec/RegexVulnerabilities.spec.js b/spec/RegexVulnerabilities.spec.js index 62af4f04e2..5d3bdf254d 100644 --- a/spec/RegexVulnerabilities.spec.js +++ b/spec/RegexVulnerabilities.spec.js @@ -19,6 +19,7 @@ const publicServerURL = 'http://localhost:8378/1'; describe('Regex Vulnerabilities', function () { beforeEach(async function () { await reconfigureServer({ + maintenanceKey: 'test2', verifyUserEmails: true, emailAdapter, appName, @@ -98,11 +99,20 @@ describe('Regex Vulnerabilities', function () { it('should work with plain token', async function () { expect(this.user.get('emailVerified')).toEqual(false); + const current = await request({ + method: 'GET', + url: `http://localhost:8378/1/classes/_User/${this.user.id}`, + json: true, + headers: { + 'X-Parse-Application-Id': 'test', + 'X-Parse-Rest-API-Key': 'test', + 'X-Parse-Maintenance-Key': 'test2', + 'Content-Type': 'application/json', + }, + }).then(res => res.data); // It should work await request({ - url: `${serverURL}/apps/test/verify_email?username=someemail@somedomain.com&token=${this.user.get( - '_email_verify_token' - )}`, + url: `${serverURL}/apps/test/verify_email?username=someemail@somedomain.com&token=${current._email_verify_token}`, method: 'GET', }); await this.user.fetch({ useMasterKey: true }); @@ -164,8 +174,18 @@ describe('Regex Vulnerabilities', function () { email: 'someemail@somedomain.com', }), }); - await this.user.fetch({ useMasterKey: true }); - const token = this.user.get('_perishable_token'); + const current = await request({ + method: 'GET', + url: `http://localhost:8378/1/classes/_User/${this.user.id}`, + json: true, + headers: { + 'X-Parse-Application-Id': 'test', + 'X-Parse-Rest-API-Key': 'test', + 'X-Parse-Maintenance-Key': 'test2', + 'Content-Type': 'application/json', + }, + }).then(res => res.data); + const token = current._perishable_token; const passwordResetResponse = await request({ url: `${serverURL}/apps/test/request_password_reset?username=someemail@somedomain.com&token=${token}`, method: 'GET', diff --git a/spec/helper.js b/spec/helper.js index c439c37c58..445a137ac5 100644 --- a/spec/helper.js +++ b/spec/helper.js @@ -113,7 +113,6 @@ const defaultConfiguration = { enableForAnonymousUser: true, enableForAuthenticatedUser: true, }, - masterKeyIps: ['127.0.0.1'], push: { android: { senderId: 'yolo', diff --git a/spec/rest.spec.js b/spec/rest.spec.js index db3082ec74..02d2f5960b 100644 --- a/spec/rest.spec.js +++ b/spec/rest.spec.js @@ -859,6 +859,15 @@ describe('read-only masterKey', () => { await reconfigureServer(); }); + it('should throw when masterKey and maintenanceKey are the same', async () => { + await expectAsync( + reconfigureServer({ + masterKey: 'yolo', + maintenanceKey: 'yolo', + }) + ).toBeRejectedWith(new Error('masterKey and maintenanceKey should be different')); + }); + it('should throw when trying to create RestWrite', () => { const config = Config.get('test'); expect(() => { diff --git a/src/Auth.js b/src/Auth.js index d9a55593c0..abd14391db 100644 --- a/src/Auth.js +++ b/src/Auth.js @@ -11,6 +11,7 @@ function Auth({ config, cacheController = undefined, isMaster = false, + isMaintenance = false, isReadOnly = false, user, installationId, @@ -19,6 +20,7 @@ function Auth({ this.cacheController = cacheController || (config && config.cacheController); this.installationId = installationId; this.isMaster = isMaster; + this.isMaintenance = isMaintenance; this.user = user; this.isReadOnly = isReadOnly; @@ -35,6 +37,9 @@ Auth.prototype.isUnauthenticated = function () { if (this.isMaster) { return false; } + if (this.isMaintenance) { + return false; + } if (this.user) { return false; } @@ -46,6 +51,11 @@ function master(config) { return new Auth({ config, isMaster: true }); } +// A helper to get a maintenance-level Auth object +function maintenance(config) { + return new Auth({ config, isMaintenance: true }); +} + // A helper to get a master-level Auth object function readOnly(config) { return new Auth({ config, isMaster: true, isReadOnly: true }); @@ -149,7 +159,7 @@ var getAuthForLegacySessionToken = function ({ config, sessionToken, installatio // Returns a promise that resolves to an array of role names Auth.prototype.getUserRoles = function () { - if (this.isMaster || !this.user) { + if (this.isMaster || this.isMaintenance || !this.user) { return Promise.resolve([]); } if (this.fetchedRoles) { @@ -493,6 +503,7 @@ const handleAuthDataValidation = async (authData, req, foundUser) => { module.exports = { Auth, master, + maintenance, nobody, readOnly, getAuthForSessionToken, diff --git a/src/Config.js b/src/Config.js index a62cb5e393..bd7c6f21af 100644 --- a/src/Config.js +++ b/src/Config.js @@ -73,6 +73,8 @@ export class Config { passwordPolicy, masterKeyIps, masterKey, + maintenanceKey, + maintenanceKeyIps, readOnlyMasterKey, allowHeaders, idempotencyOptions, @@ -91,6 +93,10 @@ export class Config { throw new Error('masterKey and readOnlyMasterKey should be different'); } + if (masterKey === maintenanceKey) { + throw new Error('masterKey and maintenanceKey should be different'); + } + const emailAdapter = userController.adapter; if (verifyUserEmails) { this.validateEmailConfiguration({ @@ -116,7 +122,8 @@ export class Config { } } this.validateSessionConfiguration(sessionLength, expireInactiveSessions); - this.validateMasterKeyIps(masterKeyIps); + this.validateIps('masterKeyIps', masterKeyIps); + this.validateIps('maintenanceKeyIps', maintenanceKeyIps); this.validateDefaultLimit(defaultLimit); this.validateMaxLimit(maxLimit); this.validateAllowHeaders(allowHeaders); @@ -440,13 +447,13 @@ export class Config { } } - static validateMasterKeyIps(masterKeyIps) { + static validateIps(field, masterKeyIps) { for (let ip of masterKeyIps) { if (ip.includes('/')) { ip = ip.split('/')[0]; } if (!net.isIP(ip)) { - throw `The Parse Server option "masterKeyIps" contains an invalid IP address "${ip}".`; + throw `The Parse Server option "${field}" contains an invalid IP address "${ip}".`; } } } diff --git a/src/Controllers/DatabaseController.js b/src/Controllers/DatabaseController.js index 89461750ce..3aa4da160e 100644 --- a/src/Controllers/DatabaseController.js +++ b/src/Controllers/DatabaseController.js @@ -68,14 +68,22 @@ const specialMasterQueryKeys = [ '_password_history', ]; -const validateQuery = (query: any, isMaster: boolean, update: boolean): void => { +const validateQuery = ( + query: any, + isMaster: boolean, + isMaintenance: boolean, + update: boolean +): void => { + if (isMaintenance) { + isMaster = true; + } if (query.ACL) { throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.'); } if (query.$or) { if (query.$or instanceof Array) { - query.$or.forEach(value => validateQuery(value, isMaster, update)); + query.$or.forEach(value => validateQuery(value, isMaster, isMaintenance, update)); } else { throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Bad $or format - use an array value.'); } @@ -83,7 +91,7 @@ const validateQuery = (query: any, isMaster: boolean, update: boolean): void => if (query.$and) { if (query.$and instanceof Array) { - query.$and.forEach(value => validateQuery(value, isMaster, update)); + query.$and.forEach(value => validateQuery(value, isMaster, isMaintenance, update)); } else { throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Bad $and format - use an array value.'); } @@ -91,7 +99,7 @@ const validateQuery = (query: any, isMaster: boolean, update: boolean): void => if (query.$nor) { if (query.$nor instanceof Array && query.$nor.length > 0) { - query.$nor.forEach(value => validateQuery(value, isMaster, update)); + query.$nor.forEach(value => validateQuery(value, isMaster, isMaintenance, update)); } else { throw new Parse.Error( Parse.Error.INVALID_QUERY, @@ -124,6 +132,7 @@ const validateQuery = (query: any, isMaster: boolean, update: boolean): void => // Filters out any data that shouldn't be on this REST-formatted object. const filterSensitiveData = ( isMaster: boolean, + isMaintenance: boolean, aclGroup: any[], auth: any, operation: any, @@ -195,6 +204,15 @@ const filterSensitiveData = ( } const isUserClass = className === '_User'; + if (isUserClass) { + object.password = object._hashed_password; + delete object._hashed_password; + delete object.sessionToken; + } + + if (isMaintenance) { + return object; + } /* special treat for the user class: don't filter protectedFields if currently loggedin user is the retrieved user */ @@ -208,22 +226,13 @@ const filterSensitiveData = ( perms.protectedFields.temporaryKeys.forEach(k => delete object[k]); } - if (isUserClass) { - object.password = object._hashed_password; - delete object._hashed_password; - delete object.sessionToken; - } - - if (isMaster) { - return object; - } for (const key in object) { if (key.charAt(0) === '_') { delete object[key]; } } - if (!isUserClass) { + if (!isUserClass || isMaster) { return object; } @@ -439,7 +448,8 @@ class DatabaseController { className: string, object: any, query: any, - runOptions: QueryOptions + runOptions: QueryOptions, + maintenance: boolean ): Promise { let schema; const acl = runOptions.acl; @@ -454,7 +464,7 @@ class DatabaseController { return this.canAddField(schema, className, object, aclGroup, runOptions); }) .then(() => { - return schema.validateObject(className, object, query); + return schema.validateObject(className, object, query, maintenance); }); } @@ -512,7 +522,7 @@ class DatabaseController { if (acl) { query = addWriteACL(query, acl); } - validateQuery(query, isMaster, true); + validateQuery(query, isMaster, false, true); return schemaController .getOneSchema(className, true) .catch(error => { @@ -758,7 +768,7 @@ class DatabaseController { if (acl) { query = addWriteACL(query, acl); } - validateQuery(query, isMaster, false); + validateQuery(query, isMaster, false, false); return schemaController .getOneSchema(className) .catch(error => { @@ -1151,7 +1161,8 @@ class DatabaseController { auth: any = {}, validSchemaController: SchemaController.SchemaController ): Promise { - const isMaster = acl === undefined; + const isMaintenance = auth.isMaintenance; + const isMaster = acl === undefined || isMaintenance; const aclGroup = acl || []; op = op || (typeof query.objectId == 'string' && Object.keys(query).length === 1 ? 'get' : 'find'); @@ -1253,7 +1264,7 @@ class DatabaseController { query = addReadACL(query, aclGroup); } } - validateQuery(query, isMaster, false); + validateQuery(query, isMaster, isMaintenance, false); if (count) { if (!classExists) { return 0; @@ -1296,6 +1307,7 @@ class DatabaseController { object = untransformObjectACL(object); return filterSensitiveData( isMaster, + isMaintenance, aclGroup, auth, op, @@ -1813,8 +1825,8 @@ class DatabaseController { return Promise.resolve(response); } - static _validateQuery: (any, boolean, boolean) => void; - static filterSensitiveData: (boolean, any[], any, any, any, string, any[], any) => void; + static _validateQuery: (any, boolean, boolean, boolean) => void; + static filterSensitiveData: (boolean, boolean, any[], any, any, any, string, any[], any) => void; } module.exports = DatabaseController; diff --git a/src/Controllers/SchemaController.js b/src/Controllers/SchemaController.js index 179de37b6e..62757d251d 100644 --- a/src/Controllers/SchemaController.js +++ b/src/Controllers/SchemaController.js @@ -1071,14 +1071,19 @@ export default class SchemaController { className: string, fieldName: string, type: string | SchemaField, - isValidation?: boolean + isValidation?: boolean, + maintenance?: boolean ) { if (fieldName.indexOf('.') > 0) { // subdocument key (x.y) => ok if x is of type 'object' fieldName = fieldName.split('.')[0]; type = 'Object'; } - if (!fieldNameIsValid(fieldName, className)) { + let fieldNameToValidate = `${fieldName}`; + if (maintenance && fieldNameToValidate.charAt(0) === '_') { + fieldNameToValidate = fieldNameToValidate.substring(1); + } + if (!fieldNameIsValid(fieldNameToValidate, className)) { throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid field name: ${fieldName}.`); } @@ -1228,7 +1233,7 @@ export default class SchemaController { // Validates an object provided in REST format. // Returns a promise that resolves to the new schema if this object is // valid. - async validateObject(className: string, object: any, query: any) { + async validateObject(className: string, object: any, query: any, maintenance: boolean) { let geocount = 0; const schema = await this.enforceClassExists(className); const promises = []; @@ -1258,7 +1263,7 @@ export default class SchemaController { // Every object has ACL implicitly. continue; } - promises.push(schema.enforceFieldExists(className, fieldName, expected, true)); + promises.push(schema.enforceFieldExists(className, fieldName, expected, true, maintenance)); } const results = await Promise.all(promises); const enforceFields = results.filter(result => !!result); diff --git a/src/Controllers/UserController.js b/src/Controllers/UserController.js index 62c165c1e2..6871add987 100644 --- a/src/Controllers/UserController.js +++ b/src/Controllers/UserController.js @@ -69,20 +69,17 @@ export class UserController extends AdaptableController { updateFields._email_verify_token_expires_at = { __op: 'Delete' }; } - const masterAuth = Auth.master(this.config); - var findUserForEmailVerification = new RestQuery( - this.config, - Auth.master(this.config), - '_User', - { username: username } - ); + const maintenanceAuth = Auth.maintenance(this.config); + var findUserForEmailVerification = new RestQuery(this.config, maintenanceAuth, '_User', { + username, + }); return findUserForEmailVerification.execute().then(result => { if (result.results.length && result.results[0].emailVerified) { return Promise.resolve(result.results.length[0]); } else if (result.results.length) { query.objectId = result.results[0].objectId; } - return rest.update(this.config, masterAuth, '_User', query, updateFields); + return rest.update(this.config, maintenanceAuth, '_User', query, updateFields); }); } @@ -94,7 +91,8 @@ export class UserController extends AdaptableController { username: username, _perishable_token: token, }, - { limit: 1 } + { limit: 1 }, + Auth.maintenance(this.config) ) .then(results => { if (results.length != 1) { @@ -228,7 +226,8 @@ export class UserController extends AdaptableController { { username: email, email: { $exists: false }, _perishable_token: { $exists: true } }, ], }, - { limit: 1 } + { limit: 1 }, + Auth.maintenance(this.config) ); if (results.length == 1) { let expiresDate = results[0]._perishable_token_expires_at; diff --git a/src/LiveQuery/ParseLiveQueryServer.js b/src/LiveQuery/ParseLiveQueryServer.js index 78cdf55e07..f33382f202 100644 --- a/src/LiveQuery/ParseLiveQueryServer.js +++ b/src/LiveQuery/ParseLiveQueryServer.js @@ -625,6 +625,7 @@ class ParseLiveQueryServer { } return DatabaseController.filterSensitiveData( client.hasMasterKey, + false, aclGroup, clientAuth, op, diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js index 7ba817cd6e..f7a4f822d7 100644 --- a/src/Options/Definitions.js +++ b/src/Options/Definitions.js @@ -300,6 +300,19 @@ module.exports.ParseServerOptions = { help: "Folder for the logs (defaults to './logs'); set to null to disable file based logging", default: './logs', }, + maintenanceKey: { + env: 'PARSE_SERVER_MAINTENANCE_KEY', + help: + '(Optional) The maintenance key is used for modifying internal fields of Parse Server.

\u26A0\uFE0F This key is not intended to be used as part of a regular operation of Parse Server. This key is intended to conduct out-of-band changes such as one-time migrations or data correction tasks. Internal fields are not officially documented and may change at any time without publication in release changelogs. We strongly advice not to rely on internal fields as part of your regular operation and to investigate the implications of any planned changes *directly in the source code* of your current version of Parse Server.', + required: true, + }, + maintenanceKeyIps: { + env: 'PARSE_SERVER_MAINTENANCE_KEY_IPS', + help: + "(Optional) Restricts the use of maintenance key permissions to a list of IP addresses.

This option accepts a list of single IP addresses, for example:
`['10.0.0.1', '10.0.0.2']`

You can also use CIDR notation to specify an IP address range, for example:
`['10.0.1.0/24']`

Special cases:
- Setting an empty array `[]` means that `maintenanceKey` cannot be used even in Parse Server Cloud Code.
- Setting `['0.0.0.0/0']` means disabling the filter and the maintenance key can be used from any IP address.

Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the maintenance key.", + action: parsers.arrayParser, + default: ['127.0.0.1', '::1'], + }, masterKey: { env: 'PARSE_SERVER_MASTER_KEY', help: 'Your Parse Master Key', @@ -308,7 +321,7 @@ module.exports.ParseServerOptions = { masterKeyIps: { env: 'PARSE_SERVER_MASTER_KEY_IPS', help: - "(Optional) Restricts the use of master key permissions to a list of IP addresses.

This option accepts a list of single IP addresses, for example:
`['10.0.0.1', '10.0.0.2']`

You can also use CIDR notation to specify an IP address range, for example:
`['10.0.1.0/24']`

Special cases:
- Setting an empty array `[]` means that `masterKey`` cannot be used even in Parse Server Cloud Code.
- Setting `['0.0.0.0/0']` means disabling the filter and the master key can be used from any IP address.

To connect Parse Dashboard from a different server requires to add the IP address of the server that hosts Parse Dashboard because Parse Dashboard uses the master key.

Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the master key.", + "(Optional) Restricts the use of master key permissions to a list of IP addresses.

This option accepts a list of single IP addresses, for example:
`['10.0.0.1', '10.0.0.2']`

You can also use CIDR notation to specify an IP address range, for example:
`['10.0.1.0/24']`

Special cases:
- Setting an empty array `[]` means that `masterKey` cannot be used even in Parse Server Cloud Code.
- Setting `['0.0.0.0/0']` means disabling the filter and the master key can be used from any IP address.

To connect Parse Dashboard from a different server requires to add the IP address of the server that hosts Parse Dashboard because Parse Dashboard uses the master key.

Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the master key.", action: parsers.arrayParser, default: ['127.0.0.1', '::1'], }, diff --git a/src/Options/docs.js b/src/Options/docs.js index bfdb609fcc..b0378d327e 100644 --- a/src/Options/docs.js +++ b/src/Options/docs.js @@ -58,8 +58,10 @@ * @property {String} logLevel Sets the level for logs * @property {LogLevels} logLevels (Optional) Overrides the log levels used internally by Parse Server to log events. * @property {String} logsFolder Folder for the logs (defaults to './logs'); set to null to disable file based logging + * @property {String} maintenanceKey (Optional) The maintenance key is used for modifying internal fields of Parse Server.

⚠️ This key is not intended to be used as part of a regular operation of Parse Server. This key is intended to conduct out-of-band changes such as one-time migrations or data correction tasks. Internal fields are not officially documented and may change at any time without publication in release changelogs. We strongly advice not to rely on internal fields as part of your regular operation and to investigate the implications of any planned changes *directly in the source code* of your current version of Parse Server. + * @property {String[]} maintenanceKeyIps (Optional) Restricts the use of maintenance key permissions to a list of IP addresses.

This option accepts a list of single IP addresses, for example:
`['10.0.0.1', '10.0.0.2']`

You can also use CIDR notation to specify an IP address range, for example:
`['10.0.1.0/24']`

Special cases:
- Setting an empty array `[]` means that `maintenanceKey` cannot be used even in Parse Server Cloud Code.
- Setting `['0.0.0.0/0']` means disabling the filter and the maintenance key can be used from any IP address.

Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the maintenance key. * @property {String} masterKey Your Parse Master Key - * @property {String[]} masterKeyIps (Optional) Restricts the use of master key permissions to a list of IP addresses.

This option accepts a list of single IP addresses, for example:
`['10.0.0.1', '10.0.0.2']`

You can also use CIDR notation to specify an IP address range, for example:
`['10.0.1.0/24']`

Special cases:
- Setting an empty array `[]` means that `masterKey`` cannot be used even in Parse Server Cloud Code.
- Setting `['0.0.0.0/0']` means disabling the filter and the master key can be used from any IP address.

To connect Parse Dashboard from a different server requires to add the IP address of the server that hosts Parse Dashboard because Parse Dashboard uses the master key.

Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the master key. + * @property {String[]} masterKeyIps (Optional) Restricts the use of master key permissions to a list of IP addresses.

This option accepts a list of single IP addresses, for example:
`['10.0.0.1', '10.0.0.2']`

You can also use CIDR notation to specify an IP address range, for example:
`['10.0.1.0/24']`

Special cases:
- Setting an empty array `[]` means that `masterKey` cannot be used even in Parse Server Cloud Code.
- Setting `['0.0.0.0/0']` means disabling the filter and the master key can be used from any IP address.

To connect Parse Dashboard from a different server requires to add the IP address of the server that hosts Parse Dashboard because Parse Dashboard uses the master key.

Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the master key. * @property {Number} maxLimit Max value for limit option on queries, defaults to unlimited * @property {Number|String} maxLogFiles Maximum number of logs to keep. If not set, no logs will be removed. This can be a number of files or number of days. If using days, add 'd' as the suffix. (default: null) * @property {String} maxUploadSize Max file size for uploads, defaults to 20mb diff --git a/src/Options/index.js b/src/Options/index.js index 4cf6e377ec..661d062de6 100644 --- a/src/Options/index.js +++ b/src/Options/index.js @@ -46,12 +46,17 @@ export interface ParseServerOptions { appId: string; /* Your Parse Master Key */ masterKey: string; + /* (Optional) The maintenance key is used for modifying internal fields of Parse Server.

⚠️ This key is not intended to be used as part of a regular operation of Parse Server. This key is intended to conduct out-of-band changes such as one-time migrations or data correction tasks. Internal fields are not officially documented and may change at any time without publication in release changelogs. We strongly advice not to rely on internal fields as part of your regular operation and to investigate the implications of any planned changes *directly in the source code* of your current version of Parse Server. */ + maintenanceKey: string; /* URL to your parse server with http:// or https://. :ENV: PARSE_SERVER_URL */ serverURL: string; - /* (Optional) Restricts the use of master key permissions to a list of IP addresses.

This option accepts a list of single IP addresses, for example:
`['10.0.0.1', '10.0.0.2']`

You can also use CIDR notation to specify an IP address range, for example:
`['10.0.1.0/24']`

Special cases:
- Setting an empty array `[]` means that `masterKey`` cannot be used even in Parse Server Cloud Code.
- Setting `['0.0.0.0/0']` means disabling the filter and the master key can be used from any IP address.

To connect Parse Dashboard from a different server requires to add the IP address of the server that hosts Parse Dashboard because Parse Dashboard uses the master key.

Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the master key. + /* (Optional) Restricts the use of master key permissions to a list of IP addresses.

This option accepts a list of single IP addresses, for example:
`['10.0.0.1', '10.0.0.2']`

You can also use CIDR notation to specify an IP address range, for example:
`['10.0.1.0/24']`

Special cases:
- Setting an empty array `[]` means that `masterKey` cannot be used even in Parse Server Cloud Code.
- Setting `['0.0.0.0/0']` means disabling the filter and the master key can be used from any IP address.

To connect Parse Dashboard from a different server requires to add the IP address of the server that hosts Parse Dashboard because Parse Dashboard uses the master key.

Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the master key. :DEFAULT: ["127.0.0.1","::1"] */ masterKeyIps: ?(string[]); + /* (Optional) Restricts the use of maintenance key permissions to a list of IP addresses.

This option accepts a list of single IP addresses, for example:
`['10.0.0.1', '10.0.0.2']`

You can also use CIDR notation to specify an IP address range, for example:
`['10.0.1.0/24']`

Special cases:
- Setting an empty array `[]` means that `maintenanceKey` cannot be used even in Parse Server Cloud Code.
- Setting `['0.0.0.0/0']` means disabling the filter and the maintenance key can be used from any IP address.

Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server itself, is allowed to use the maintenance key. + :DEFAULT: ["127.0.0.1","::1"] */ + maintenanceKeyIps: ?(string[]); /* Sets the app name */ appName: ?string; /* Add headers to Access-Control-Allow-Headers */ diff --git a/src/ParseServer.js b/src/ParseServer.js index 91e6401e10..355d9178ca 100644 --- a/src/ParseServer.js +++ b/src/ParseServer.js @@ -513,10 +513,6 @@ function injectDefaults(options: ParseServerOptions) { }); } }); - - options.masterKeyIps = Array.from( - new Set(options.masterKeyIps.concat(defaults.masterKeyIps, options.masterKeyIps)) - ); } // Those can't be tested as it requires a subprocess diff --git a/src/RestWrite.js b/src/RestWrite.js index d4890a2da8..3a8385e52a 100644 --- a/src/RestWrite.js +++ b/src/RestWrite.js @@ -166,7 +166,7 @@ RestWrite.prototype.execute = function () { // Uses the Auth object to get the list of roles, adds the user id RestWrite.prototype.getUserAndRoleACL = function () { - if (this.auth.isMaster) { + if (this.auth.isMaster || this.auth.isMaintenance) { return Promise.resolve(); } @@ -187,6 +187,7 @@ RestWrite.prototype.validateClientClassCreation = function () { if ( this.config.allowClientClassCreation === false && !this.auth.isMaster && + !this.auth.isMaintenance && SchemaController.systemClasses.indexOf(this.className) === -1 ) { return this.config.database @@ -211,7 +212,8 @@ RestWrite.prototype.validateSchema = function () { this.className, this.data, this.query, - this.runOptions + this.runOptions, + this.auth.isMaintenance ); }; @@ -434,7 +436,7 @@ RestWrite.prototype.validateAuthData = function () { }; RestWrite.prototype.filteredObjectsByACL = function (objects) { - if (this.auth.isMaster) { + if (this.auth.isMaster || this.auth.isMaintenance) { return objects; } return objects.filter(object => { @@ -605,7 +607,7 @@ RestWrite.prototype.transformUser = function () { return promise; } - if (!this.auth.isMaster && 'emailVerified' in this.data) { + if (!this.auth.isMaintenance && !this.auth.isMaster && 'emailVerified' in this.data) { const error = `Clients aren't allowed to manually update email verification.`; throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error); } @@ -640,7 +642,7 @@ RestWrite.prototype.transformUser = function () { if (this.query) { this.storage['clearSessions'] = true; // Generate a new session only if the user requested - if (!this.auth.isMaster) { + if (!this.auth.isMaster && !this.auth.isMaintenance) { this.storage['generateNewSession'] = true; } } @@ -813,7 +815,8 @@ RestWrite.prototype._validatePasswordHistory = function () { .find( '_User', { objectId: this.objectId() }, - { keys: ['_password_history', '_hashed_password'] } + { keys: ['_password_history', '_hashed_password'] }, + Auth.maintenance(this.config) ) .then(results => { if (results.length != 1) { @@ -1015,7 +1018,7 @@ RestWrite.prototype.handleSession = function () { return; } - if (!this.auth.user && !this.auth.isMaster) { + if (!this.auth.user && !this.auth.isMaster && !this.auth.isMaintenance) { throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'Session token required.'); } @@ -1048,7 +1051,7 @@ RestWrite.prototype.handleSession = function () { } } - if (!this.query && !this.auth.isMaster) { + if (!this.query && !this.auth.isMaster && !this.auth.isMaintenance) { const additionalSessionData = {}; for (var key in this.data) { if (key === 'objectId' || key === 'user') { @@ -1115,7 +1118,7 @@ RestWrite.prototype.handleInstallation = function () { let installationId = this.data.installationId; // If data.installationId is not set and we're not master, we can lookup in auth - if (!installationId && !this.auth.isMaster) { + if (!installationId && !this.auth.isMaster && !this.auth.isMaintenance) { installationId = this.auth.installationId; } @@ -1379,7 +1382,12 @@ RestWrite.prototype.runDatabaseOperation = function () { if (this.query) { // Force the user to not lockout // Matched with parse.com - if (this.className === '_User' && this.data.ACL && this.auth.isMaster !== true) { + if ( + this.className === '_User' && + this.data.ACL && + this.auth.isMaster !== true && + this.auth.isMaintenance !== true + ) { this.data.ACL[this.query.objectId] = { read: true, write: true }; } // update password timestamp if user password is being changed @@ -1406,7 +1414,8 @@ RestWrite.prototype.runDatabaseOperation = function () { .find( '_User', { objectId: this.objectId() }, - { keys: ['_password_history', '_hashed_password'] } + { keys: ['_password_history', '_hashed_password'] }, + Auth.maintenance(this.config) ) .then(results => { if (results.length != 1) { diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js index 10cf6c803e..a0c0039c47 100644 --- a/src/Routers/UsersRouter.js +++ b/src/Routers/UsersRouter.js @@ -103,7 +103,7 @@ export class UsersRouter extends ClassesRouter { query = { $or: [{ username }, { email: username }] }; } return req.config.database - .find('_User', query) + .find('_User', query, {}, Auth.maintenance(req.config)) .then(results => { if (!results.length) { throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.'); diff --git a/src/middlewares.js b/src/middlewares.js index 0e525816ba..46c4a32a43 100644 --- a/src/middlewares.js +++ b/src/middlewares.js @@ -45,6 +45,7 @@ export function handleParseHeaders(req, res, next) { appId: req.get('X-Parse-Application-Id'), sessionToken: req.get('X-Parse-Session-Token'), masterKey: req.get('X-Parse-Master-Key'), + maintenanceKey: req.get('X-Parse-Maintenance-Key'), installationId: req.get('X-Parse-Installation-Id'), clientKey: req.get('X-Parse-Client-Key'), javascriptKey: req.get('X-Parse-Javascript-Key'), @@ -177,6 +178,24 @@ export function handleParseHeaders(req, res, next) { req.config.ip = clientIp; req.info = info; + const isMaintenance = + req.config.maintenanceKey && info.maintenanceKey === req.config.maintenanceKey; + if (isMaintenance) { + if (ipRangeCheck(clientIp, req.config.maintenanceKeyIps || [])) { + req.auth = new auth.Auth({ + config: req.config, + installationId: info.installationId, + isMaintenance: true, + }); + next(); + return; + } + const log = req.config?.loggerController || defaultLogger; + log.error( + `Request using maintenance key rejected as the request IP address '${clientIp}' is not set in Parse Server option 'maintenanceKeyIps'.` + ); + } + let isMaster = info.masterKey === req.config.masterKey; if (isMaster && !ipRangeCheck(clientIp, req.config.masterKeyIps || [])) { const log = req.config?.loggerController || defaultLogger; diff --git a/src/rest.js b/src/rest.js index fca3497a5d..e1e53668a6 100644 --- a/src/rest.js +++ b/src/rest.js @@ -111,7 +111,7 @@ function del(config, auth, className, objectId, context) { if (response && response.results && response.results.length) { const firstResult = response.results[0]; firstResult.className = className; - if (className === '_Session' && !auth.isMaster) { + if (className === '_Session' && !auth.isMaster && !auth.isMaintenance) { if (!auth.user || firstResult.user.objectId !== auth.user.id) { throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token'); } @@ -134,7 +134,7 @@ function del(config, auth, className, objectId, context) { return Promise.resolve({}); }) .then(() => { - if (!auth.isMaster) { + if (!auth.isMaster && !auth.isMaintenance) { return auth.getUserRoles(); } else { return; @@ -144,7 +144,7 @@ function del(config, auth, className, objectId, context) { .then(s => { schemaController = s; const options = {}; - if (!auth.isMaster) { + if (!auth.isMaster && !auth.isMaintenance) { options.acl = ['*']; if (auth.user) { options.acl.push(auth.user.id); @@ -237,7 +237,12 @@ function update(config, auth, className, restWhere, restObject, clientSDK, conte function handleSessionMissingError(error, className, auth) { // If we're trying to update a user without / with bad session token - if (className === '_User' && error.code === Parse.Error.OBJECT_NOT_FOUND && !auth.isMaster) { + if ( + className === '_User' && + error.code === Parse.Error.OBJECT_NOT_FOUND && + !auth.isMaster && + !auth.isMaintenance + ) { throw new Parse.Error(Parse.Error.SESSION_MISSING, 'Insufficient auth.'); } throw error; @@ -253,7 +258,7 @@ const classesWithMasterOnlyAccess = [ ]; // Disallowing access to the _Role collection except by master key function enforceRoleSecurity(method, className, auth) { - if (className === '_Installation' && !auth.isMaster) { + if (className === '_Installation' && !auth.isMaster && !auth.isMaintenance) { if (method === 'delete' || method === 'find') { const error = `Clients aren't allowed to perform the ${method} operation on the installation collection.`; throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error); @@ -261,7 +266,11 @@ function enforceRoleSecurity(method, className, auth) { } //all volatileClasses are masterKey only - if (classesWithMasterOnlyAccess.indexOf(className) >= 0 && !auth.isMaster) { + if ( + classesWithMasterOnlyAccess.indexOf(className) >= 0 && + !auth.isMaster && + !auth.isMaintenance + ) { const error = `Clients aren't allowed to perform the ${method} operation on the ${className} collection.`; throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error); }