Updated to 1.5.17: Security impersonation

- Added security impersonation to the API token that gets passed into reads/writes/browses

Author: iatraviscox

IgnitionNodeRED-build/pom.xml

@@ -47,7 +47,7 @@
                     <moduleId>org.imdc.nodered.IgnitionNodeRED</moduleId>
                     <moduleName>${module-name}</moduleName>
                     <moduleDescription>${module-description}</moduleDescription>
-                    <moduleVersion>1.5.16.${timestamp}</moduleVersion>
+                    <moduleVersion>1.5.17.${timestamp}</moduleVersion>
                     <requiredIgnitionVersion>${ignition-platform-version}</requiredIgnitionVersion>
                     <requiredFrameworkVersion>8</requiredFrameworkVersion>
                     <licenseFile>license.html</licenseFile>

IgnitionNodeRED-gateway/src/main/java/org/imdc/nodered/NodeREDAPITokens.java

@@ -43,8 +43,55 @@ public void onValidate(SFieldMeta field, SRecordInstance instance) throws SExcep
     public static final ReferenceField<AuditProfileRecord> AuditProfile =
             new ReferenceField<AuditProfileRecord>(META, AuditProfileRecord.META, "AuditProfile", AuditProfileId);
 
+    public static final StringField SecurityLevels = new StringField(META, "SecurityLevels").addValidator(new SValidatorI() {
+        @Override
+        public void onValidate(SFieldMeta field, SRecordInstance instance) throws SException.Validation {
+            if (!instance.isNull(field)) {
+                String val = instance.getString(field);
+
+                try {
+                    val.split(",");
+                } catch (Throwable ex) {
+                    throw new SException.Validation("Field " + field + " value must be a comma separated string");
+                }
+            }
+        }
+    });
+    public static final StringField Roles = new StringField(META, "Roles").addValidator(new SValidatorI() {
+        @Override
+        public void onValidate(SFieldMeta field, SRecordInstance instance) throws SException.Validation {
+            if (!instance.isNull(field)) {
+                String val = instance.getString(field);
+
+                try {
+                    val.split(",");
+                } catch (Throwable ex) {
+                    throw new SException.Validation("Field " + field + " value must be a comma separated string");
+                }
+            }
+        }
+    });
+    public static final StringField Zones = new StringField(META, "Zones").addValidator(new SValidatorI() {
+        @Override
+        public void onValidate(SFieldMeta field, SRecordInstance instance) throws SException.Validation {
+            if (!instance.isNull(field)) {
+                String val = instance.getString(field);
+
+                try {
+                    val.split(",");
+                } catch (Throwable ex) {
+                    throw new SException.Validation("Field " + field + " value must be a comma separated string");
+                }
+            }
+        }
+    });
+
     public static final BooleanField Enabled = new BooleanField(META, "Enabled").setDefault(true);
 
+    public static final Category SettingsCategory = new Category("NodeRED.Settings", 125).include(Name, APIToken, Secret, AuditProfile, Enabled);
+
+    public static final Category ImpersonateCategory = new Category("NodeRED.Impersonate", 126).include(SecurityLevels, Roles, Zones);
+
     static {
         Name.getFormMeta().setFieldNameKey("NodeRED.Name.Name");
         Name.getFormMeta().setFieldDescriptionKey("NodeRED.Name.Desc");
@@ -55,6 +102,12 @@ public void onValidate(SFieldMeta field, SRecordInstance instance) throws SExcep
         Secret.getFormMeta().setEditorSource(PasswordEditorSource.getSharedInstance());
         AuditProfile.getFormMeta().setFieldNameKey("NodeRED.AuditProfile.Name");
         AuditProfile.getFormMeta().setFieldDescriptionKey("NodeRED.AuditProfile.Desc");
+        SecurityLevels.getFormMeta().setFieldNameKey("NodeRED.SecurityLevels.Name");
+        SecurityLevels.getFormMeta().setFieldDescriptionKey("NodeRED.SecurityLevels.Desc");
+        Roles.getFormMeta().setFieldNameKey("NodeRED.Roles.Name");
+        Roles.getFormMeta().setFieldDescriptionKey("NodeRED.Roles.Desc");
+        Zones.getFormMeta().setFieldNameKey("NodeRED.Zones.Name");
+        Zones.getFormMeta().setFieldDescriptionKey("NodeRED.Zones.Desc");
         Enabled.getFormMeta().setFieldNameKey("NodeRED.Enabled.Name");
         Enabled.getFormMeta().setFieldDescriptionKey("NodeRED.Enabled.Desc");
     }
@@ -87,4 +140,16 @@ public String getSecret() {
     public Long getAuditProfileId() {
         return getLong(AuditProfileId);
     }
+
+    public String getSecurityLevels() {
+        return getString(SecurityLevels);
+    }
+
+    public String getRoles() {
+        return getString(Roles);
+    }
+
+    public String getZones() {
+        return getString(Zones);
+    }
 }

IgnitionNodeRED-gateway/src/main/java/org/imdc/nodered/servlet/APITokenValidation.java

@@ -7,14 +7,17 @@
 
 public class APITokenValidation {
     private boolean success;
-    private String errorMessage, tokenName, token, auditProfileName;
+    private String errorMessage, tokenName, token, auditProfileName, securityLevels, roles, zones;
 
-    public APITokenValidation(boolean success, String errorMessage, String tokenName, String token, String auditProfileName) {
+    public APITokenValidation(boolean success, String errorMessage, String tokenName, String token, String auditProfileName, String securityLevels, String roles, String zones) {
         this.success = success;
         this.errorMessage = errorMessage;
         this.tokenName = tokenName;
         this.token = token;
         this.auditProfileName = auditProfileName;
+        this.securityLevels = securityLevels;
+        this.roles = roles;
+        this.zones = zones;
     }
 
     public boolean isSuccess() {
@@ -49,6 +52,18 @@ public boolean isAuditProfileDefined() {
         return auditProfileName != null;
     }
 
+    public String getSecurityLevels() {
+        return securityLevels;
+    }
+
+    public String getRoles() {
+        return roles;
+    }
+
+    public String getZones() {
+        return zones;
+    }
+
     public static APITokenValidation validateToken(GatewayContext context, String apiToken, String secret) {
         boolean success = true;
         String errorMessage = null;
@@ -79,6 +94,6 @@ public static APITokenValidation validateToken(GatewayContext context, String ap
             }
         }
 
-        return new APITokenValidation(success, errorMessage, r.getName(), r.getAPIToken(), auditProfileName);
+        return new APITokenValidation(success, errorMessage, r.getName(), r.getAPIToken(), auditProfileName, r.getSecurityLevels(), r.getRoles(), r.getZones());
     }
 }

IgnitionNodeRED-gateway/src/main/java/org/imdc/nodered/servlet/NodeREDServlet.java

@@ -1,12 +1,16 @@
 package org.imdc.nodered.servlet;
 
+import com.google.common.collect.ImmutableCollection;
+import com.google.common.collect.ImmutableSet;
 import com.inductiveautomation.ignition.common.Dataset;
 import com.inductiveautomation.ignition.common.TypeUtilities;
+import com.inductiveautomation.ignition.common.auth.security.level.SecurityLevelConfig;
 import com.inductiveautomation.ignition.common.browsing.BrowseFilter;
 import com.inductiveautomation.ignition.common.browsing.Results;
 import com.inductiveautomation.ignition.common.model.values.QualifiedValue;
 import com.inductiveautomation.ignition.common.model.values.QualityCode;
 import com.inductiveautomation.ignition.common.tags.browsing.NodeDescription;
+import com.inductiveautomation.ignition.common.tags.model.SecurityContext;
 import com.inductiveautomation.ignition.common.tags.model.TagPath;
 import com.inductiveautomation.ignition.common.tags.paths.parser.TagPathParser;
 import com.inductiveautomation.ignition.common.util.AuditStatus;
@@ -95,6 +99,7 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws S
                 String apiToken = input.getString("apiToken");
                 String secret = input.getString("secret");
                 APITokenValidation validation = APITokenValidation.validateToken(context, apiToken, secret);
+                SecurityContext securityContext = getSecurityContext(validation);
 
                 if (validation.isSuccess()) {
                     String command = input.getString("command");
@@ -143,9 +148,9 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws S
 
                         if (errorMessage == null) {
                             if (command.equals("tagRead")) {
-                                tagRead(context, tagPaths, result);
+                                tagRead(context, tagPaths, securityContext, result);
                             } else if (command.equals("tagBrowse")) {
-                                tagBrowse(context, tagPaths, result);
+                                tagBrowse(context, tagPaths, securityContext, result);
                             } else if (command.equals("tagWrite")) {
                                 List<Object> values = new ArrayList<>();
                                 if (input.has("value")) {
@@ -168,7 +173,7 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws S
                                 if (values.size() != tagPaths.size()) {
                                     errorMessage = "Number of tag paths (" + tagPaths.size() + ") does not match values (" + values.size() + ")";
                                 } else {
-                                    tagWrite(context, tagPaths, values, result, ipAddress, validation);
+                                    tagWrite(context, tagPaths, values, securityContext, result, ipAddress, validation);
                                 }
                             }
                         }
@@ -214,6 +219,28 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws S
         }
     }
 
+    private SecurityContext getSecurityContext(APITokenValidation validation) {
+        if (validation.getSecurityLevels() != null && !validation.getSecurityLevels().isBlank()) {
+            String[][] paths = Arrays.stream(validation.getSecurityLevels().split(",")).map(r -> Arrays.stream(r.trim().split("/")).toArray(String[]::new)).toArray(String[][]::new);
+            return SecurityContext.fromSecurityLevels(SecurityLevelConfig.fromPaths(paths));
+        } else if ((validation.getRoles() != null && !validation.getRoles().isBlank()) || (validation.getZones() != null && !validation.getZones().isBlank())) {
+            ImmutableCollection<String> roles = ImmutableSet.of();
+            ImmutableCollection<String> zones = ImmutableSet.of();
+
+            if (validation.getRoles() != null && !validation.getRoles().isBlank()) {
+                roles = ImmutableSet.copyOf(Arrays.stream(validation.getRoles().split(",")).map(String::trim).toArray(String[]::new));
+            }
+
+            if (validation.getZones() != null && !validation.getZones().isBlank()) {
+                zones = ImmutableSet.copyOf(Arrays.stream(validation.getZones().split(",")).map(String::trim).toArray(String[]::new));
+            }
+
+            return SecurityContext.fromRolesAndZones(roles, zones);
+        }
+
+        return SecurityContext.emptyContext();
+    }
+
     public static void setTagValue(List<TagPath> tagPaths, List<QualifiedValue> tagValues, JSONObject result) throws JSONException {
         if (tagPaths.size() == 1) {
             result.put("tagPath", tagPaths.get(0).toStringFull());
@@ -267,9 +294,9 @@ public static void setQuality(JSONObject result, QualityCode qual) throws JSONEx
         result.put("quality", quality);
     }
 
-    private JSONArray browseTags(GatewayContext context, TagPath tagPath) throws JSONException, ExecutionException, InterruptedException, Exception {
+    private JSONArray browseTags(GatewayContext context, TagPath tagPath, SecurityContext securityContext) throws JSONException, ExecutionException, InterruptedException, Exception {
         JSONArray tagsArray = new JSONArray();
-        Results<NodeDescription> browseResults = context.getTagManager().browseAsync(tagPath, BrowseFilter.NONE).get();
+        Results<NodeDescription> browseResults = context.getTagManager().browseAsync(tagPath, BrowseFilter.NONE, securityContext).get();
         Collection<NodeDescription> tagDescriptions = browseResults.getResults();
         if (tagDescriptions != null) {
             Iterator<NodeDescription> iterator = tagDescriptions.iterator();
@@ -292,31 +319,31 @@ private JSONArray browseTags(GatewayContext context, TagPath tagPath) throws JSO
         return tagsArray;
     }
 
-    private void tagBrowse(GatewayContext context, final List<TagPath> tagPaths, JSONObject result) throws JSONException, ExecutionException, InterruptedException, Exception {
+    private void tagBrowse(GatewayContext context, final List<TagPath> tagPaths, SecurityContext securityContext, JSONObject result) throws JSONException, ExecutionException, InterruptedException, Exception {
         if (tagPaths.size() == 1) {
             logger.info("Browsing " + tagPaths.get(0).toStringFull());
             result.put("tagPath", tagPaths.get(0).toStringFull());
-            result.put("tags", browseTags(context, tagPaths.get(0)));
+            result.put("tags", browseTags(context, tagPaths.get(0), securityContext));
         } else {
             JSONArray resultValues = new JSONArray();
             for (int i = 0; i < tagPaths.size(); i++) {
                 JSONObject tagObject = new JSONObject();
                 TagPath tagPath = tagPaths.get(i);
                 tagObject.put("tagPath", tagPath.toStringFull());
-                tagObject.put("tags", browseTags(context, tagPath));
+                tagObject.put("tags", browseTags(context, tagPath, securityContext));
                 resultValues.put(tagObject);
             }
             result.put("values", resultValues);
         }
     }
 
-    private void tagRead(GatewayContext context, final List<TagPath> tagPaths, JSONObject result) throws JSONException, ExecutionException, InterruptedException {
-        List<QualifiedValue> tagValues = context.getTagManager().readAsync(tagPaths).get();
+    private void tagRead(GatewayContext context, final List<TagPath> tagPaths, SecurityContext securityContext, JSONObject result) throws JSONException, ExecutionException, InterruptedException {
+        List<QualifiedValue> tagValues = context.getTagManager().readAsync(tagPaths, securityContext).get();
         setTagValue(tagPaths, tagValues, result);
     }
 
-    private void tagWrite(GatewayContext context, final List<TagPath> tagPaths, final List<Object> writeValues, JSONObject result, String ipAddress, APITokenValidation validation) throws JSONException, ExecutionException, InterruptedException {
-        List<QualityCode> writeResult = context.getTagManager().writeAsync(tagPaths, writeValues).get();
+    private void tagWrite(GatewayContext context, final List<TagPath> tagPaths, final List<Object> writeValues, SecurityContext securityContext, JSONObject result, String ipAddress, APITokenValidation validation) throws JSONException, ExecutionException, InterruptedException {
+        List<QualityCode> writeResult = context.getTagManager().writeAsync(tagPaths, writeValues, securityContext).get();
 
         if (tagPaths.size() == 1) {
             TagPath tagPath = tagPaths.get(0);

IgnitionNodeRED-gateway/src/main/resources/org/imdc/nodered/NodeRED.properties

@@ -4,6 +4,8 @@ Noun=Node-RED API Token
 Noun.Plural=Node-RED API Tokens
 APITokens.MenuTitle=API Tokens
 APITokens.NoRows=No Node-RED API tokens
+Settings=Settings
+Impersonate=Security Impersonation
 Name.Name=Name
 Name.Desc=Name of API token and secret pair
 APIToken.Name=API Token
@@ -12,5 +14,11 @@ Secret.Name=Secret
 Secret.Desc=The secret (password) paired with the API token
 AuditProfile.Name=Audit Profile
 AuditProfile.Desc=The name of the audit profile that tag write actions will log to.
+SecurityLevels.Name=Security Levels
+SecurityLevels.Desc=A comma separated list of security levels to impersonate. If specified, security levels take precedence over roles and zones.
+Roles.Name=Roles
+Roles.Desc=A comma separated list of roles to impersonate.
+Zones.Name=Zones
+Zones.Desc=A comma separated list of zones to impersonate.
 Enabled.Name=Enabled
-Enabled.Desc=Whether or not the pair is enabled for Node-RED
+Enabled.Desc=Whether the token is enabled for Node-RED