From f98b1b73263e9399119b66ec67b747cf92e53ce1 Mon Sep 17 00:00:00 2001
From: Sebastian Seedorf <sebastian.seedorf@biotronik.com>
Date: Mon, 16 Nov 2020 16:04:54 +0100
Subject: [PATCH] Fixed unknown roles

---
 out/auth-proxy.js    |  9 ++++++++-
 out/permissions.d.ts |  2 +-
 out/permissions.js   | 20 ++++++++++++--------
 out/polyfill.js      |  2 +-
 src/permissions.ts   | 20 +++++++++++---------
 5 files changed, 33 insertions(+), 20 deletions(-)

diff --git a/out/auth-proxy.js b/out/auth-proxy.js
index 20b53c8..0628d43 100644
--- a/out/auth-proxy.js
+++ b/out/auth-proxy.js
@@ -14,18 +14,25 @@ const _1 = require(".");
 const node_fetch_1 = require("node-fetch");
 const router = (req, res, next) => {
     const resolvable = new _1.Resolvable(() => __awaiter(void 0, void 0, void 0, function* () {
+        console.log("header", _1.DefaultConfig.USERINFO_HEADER);
         if (!_1.DefaultConfig.USERINFO_HEADER) {
             return undefined;
         }
         const token = req.header(_1.DefaultConfig.USERINFO_HEADER);
+        console.log("token", token);
         const url = _1.DefaultConfig.AUTH_PROXY_USERINFO_URL ||
             _1.DefaultConfig.AUTH_PROXY_URL && _1.urlJoin(_1.DefaultConfig.AUTH_PROXY_URL, "userinfo");
+        console.log("url", url);
         if (token === undefined || url === undefined) {
             return undefined;
         }
+        console.log("fetch");
         try {
             const res = yield node_fetch_1.default(url, { headers: [[_1.DefaultConfig.USERINFO_HEADER, token]] });
-            return yield res.json();
+            console.log("res");
+            const json = yield res.json();
+            console.log("json", json);
+            return json;
         }
         catch (e) {
             _1.Logger.warn(e);
diff --git a/out/permissions.d.ts b/out/permissions.d.ts
index 6a1297b..f6e48fb 100644
--- a/out/permissions.d.ts
+++ b/out/permissions.d.ts
@@ -3,7 +3,7 @@ import { Query } from 'role-acl/lib/src/core/Query';
 import { Request, RequestHandler } from 'express';
 declare class PermissionManager extends AccessControl {
     can(roleOrRequest: Request | string | string[] | IQueryInfo): PermQuery;
-    getRouter(resource: string, opts: Partial<RermRouterOpts>): RequestHandler;
+    getRouter(resource: string, opts?: Partial<RermRouterOpts>): RequestHandler;
 }
 export declare type RermRouterOpts = {
     context: unknown;
diff --git a/out/permissions.js b/out/permissions.js
index 4178f92..080bf81 100644
--- a/out/permissions.js
+++ b/out/permissions.js
@@ -20,12 +20,12 @@ class PermissionManager extends role_acl_1.AccessControl {
     getRouter(resource, opts) {
         return (req, res, next) => __awaiter(this, void 0, void 0, function* () {
             let query = this.can(req);
-            if (opts.context)
-                query = query.context(opts.context);
-            if (opts.action)
-                query = query.execute(opts.action);
-            if (opts.skipConditions)
-                query = query.skipConditions(opts.skipConditions);
+            if (opts === null || opts === void 0 ? void 0 : opts.context)
+                query = query.context(opts === null || opts === void 0 ? void 0 : opts.context);
+            if (opts === null || opts === void 0 ? void 0 : opts.action)
+                query = query.execute(opts === null || opts === void 0 ? void 0 : opts.action);
+            if (opts === null || opts === void 0 ? void 0 : opts.skipConditions)
+                query = query.skipConditions(opts === null || opts === void 0 ? void 0 : opts.skipConditions);
             const permission = yield query.on(resource);
             if (permission.granted) {
                 req.permissionDetails = permission;
@@ -41,7 +41,7 @@ class PermQuery extends Query_1.Query {
     constructor(grants, roleOrRequest) {
         function isRequest(obj) {
             // eslint-disable-next-line no-prototype-builtins
-            return typeof obj === 'object' && obj && obj.hasOwnProperty('path') || false;
+            return typeof obj === 'object' && obj && obj.hasOwnProperty('res') || false;
         }
         if (isRequest(roleOrRequest)) {
             super(grants, []);
@@ -57,9 +57,13 @@ class PermQuery extends Query_1.Query {
         });
         var _a;
         return __awaiter(this, void 0, void 0, function* () {
+            console.log("heee");
             if (this.resolveRequest) {
                 const userInfo = yield this.resolveRequest.getUserInfo();
-                this.role((_a = userInfo === null || userInfo === void 0 ? void 0 : userInfo.groups) !== null && _a !== void 0 ? _a : []);
+                console.log("huuu", userInfo, typeof userInfo);
+                const availableRoles = Object.keys(this._grants);
+                const roles = ((_a = userInfo === null || userInfo === void 0 ? void 0 : userInfo.groups) !== null && _a !== void 0 ? _a : []).filter(x => availableRoles.includes(x));
+                this.role(roles);
             }
             if (typeof this._.role === 'object' && this._.role.includes('noaccess') ||
                 typeof this._.role === 'string' && this._.role === 'noaccess') {
diff --git a/out/polyfill.js b/out/polyfill.js
index c0585ec..837033c 100644
--- a/out/polyfill.js
+++ b/out/polyfill.js
@@ -13,8 +13,8 @@ exports.Polyfill = void 0;
 const polyfillLibrary = require("polyfill-library");
 const _1 = require(".");
 const threads_1 = require("threads");
-const features = new _1.WaitForSync();
 function getRouter(fileToWatch, opts) {
+    const features = new _1.WaitForSync();
     (() => __awaiter(this, void 0, void 0, function* () {
         const worker = yield threads_1.spawn(new threads_1.Worker("./polyfill-worker"));
         const feats = yield worker(fileToWatch);
diff --git a/src/permissions.ts b/src/permissions.ts
index ae42301..612be4b 100644
--- a/src/permissions.ts
+++ b/src/permissions.ts
@@ -8,15 +8,15 @@ class PermissionManager extends AccessControl {
 		return new PermQuery(this.getGrants(), roleOrRequest);
 	}
 
-	public getRouter(resource: string, opts: Partial<RermRouterOpts>): RequestHandler {
+	public getRouter(resource: string, opts?: Partial<RermRouterOpts>): RequestHandler {
 		return async (req: Request, res, next) => {
 			let query = this.can(req);
-			if (opts.context)
-				query = query.context(opts.context);
-			if (opts.action)
-				query = query.execute(opts.action);
-			if (opts.skipConditions)
-				query = query.skipConditions(opts.skipConditions);
+			if (opts?.context)
+				query = query.context(opts?.context);
+			if (opts?.action)
+				query = query.execute(opts?.action);
+			if (opts?.skipConditions)
+				query = query.skipConditions(opts?.skipConditions);
 			const permission = await query.on(resource);
 			if (permission.granted) {
 				req.permissionDetails = permission;
@@ -40,7 +40,7 @@ export class PermQuery extends Query {
 	constructor(grants: unknown, roleOrRequest: Request|string|string[]|IQueryInfo) {
 		function isRequest(obj: unknown): obj is Request {
 			// eslint-disable-next-line no-prototype-builtins
-			return typeof obj === 'object' && obj && obj.hasOwnProperty('path') || false;
+			return typeof obj === 'object' && obj && obj.hasOwnProperty('res') || false;
 		}
 		if (isRequest(roleOrRequest)) {
 			super(grants, []);
@@ -53,7 +53,9 @@ export class PermQuery extends Query {
 	public async on(resource: string, skipConditions?: boolean): Promise<Permission> {
 		if (this.resolveRequest) {
 			const userInfo = await this.resolveRequest.getUserInfo();
-			this.role(userInfo?.groups ?? []);
+			const availableRoles = Object.keys(this._grants);
+			const roles = (userInfo?.groups ?? []).filter(x => availableRoles.includes(x));
+			this.role(roles);
 		}
 		if (
 			typeof this._.role === 'object' && this._.role.includes('noaccess') ||