d4s-nginx-pep-examples/shinyproxy/pep.js.j2

export default { enforce };

function log(c, s){
  c.request.error(s)
}

function debug(c, s){
  return {{ nginx_pep_debug_enabled }} ? c.request.error(s) : null
}

function enforce(r) {

  var context = {
    request: r
  }

  log(context, "Inside NJS enforce for " + r.method + " @ " + r.headersIn.host + "/" + r.uri)
  context.authn = {}
  context.authn.token = getGCubeToken(context)
  if(context.authn.token != null){
    debug(context, "[PEP] token is " + context.authn.token)
    exportVariable(context, "auth_token", context.authn.token)
    verifyGCubeToken(context)
    .then(ctx=>{
        debug(context, "[PEP] Token is valid:" + njs.dump(context.userinfo))
        if(!checkAudience(context, context.userinfo.context)){
          throw new Error("Unauthorized context")
        }
        return Promise.resolve(context)
    }).then(ctx => {
      debug(context, "[HOMESERV] creating home for username " + context.userinfo.username)
      return context.request.subrequest("/_homeserv", {"body" : "user=" + context.userinfo.username })
    }).then(reply => {
      if(reply.status !== 200){
        throw new Error("Unauthorized: Unable to create home for user")
      }
      context.record = buildAccountingRecord(context)
      return context.request.subrequest("/_backend", { method : context.request.method, args : context.request.args, headers : context.request.headersIn})
    }).then(reply=>{
      debug(context, "[SHINYPROXY] response status: " + reply.status)
      copyHeaders(context, reply.headersOut, r.headersOut)
      closeAccountingRecord(context.record, (reply.status === 200 || reply.status === 201 || reply.status === 204 || reply.status === 302))
      debug(context, "Accounting record is: " + njs.dump(context.record))
      context.request.subrequest("/_accounting", { detached : true, body : JSON.stringify([context.record]) })
      if(reply.status === 301 || reply.status === 302){
        r.return(reply.status, reply.headersOut["Location"])
      }else{
        r.return(reply.status, reply.responseBody)
      } 
   }).catch(e => { log(context, "Error .... " + njs.dump(e)); context.request.return(e.message === "Unauthorized" ? 403 : 500)} )

    return
  }

  r.return(401, "Authorization required")
}

function copyHeaders(context, hin, hout){
  for (var h in hin) {
    if(h !== "Location") hout[h] = hin[h];
  }
}

function getBearerToken(context){
  if (context.request.headersIn['Authorization']){
    return context.request.headersIn['Authorization'].split(/Bearer\s+/)[1];
  }
  return null;
}

function getGCubeToken(context){
  if(context.request.args["gcube-token"]){
    return context.request.args["gcube-token"];
  }else if (context.request.headersIn['gcube-token']){
    return context.request.headersIn['gcube-token'];
  }
  return null;
}

function checkAudience(context, aud){
  debug(context, "Audience to verify is " + aud)
  return true
}

function buildAccountingRecord(context){
  const t = (new Date()).getTime()
  return {
    "recordType": "ServiceUsageRecord",
    "operationCount": 1,
    "creationTime": t,
    "callerHost": context.request.remoteAddress,
    "serviceClass": "ShinyApp",
    "callerQualifier": "TOKEN",
    "consumerId": context.userinfo.username,
    "aggregated": true,
    "serviceName": context.request.uri.split("app/")[1],
    "duration": 0,
    "maxInvocationTime": 0,
    "scope": context.userinfo.context,
    "host": context.request.headersIn.host,
    "startTime": t,
    "id": uuid(),
    "calledMethod": context.request.method + " " + context.request.uri,
    "endTime": 0,
    "minInvocationTime": 0,
    "operationResult": null
  }
}

function closeAccountingRecord(record, success){
  const t = (new Date()).getTime()
  record.duration = t - record.startTime
  record.endTime = t
  record.minInvocationTime = record.duration
  record.operationResult = success ? "SUCCESS" : "FAILED";
}

function uuid() {
  return 'xxxxxxxx-xxxx-4xxx-8xxx-xxxxxxxxxxxx'.replace(/[x]/g, function (c) {
    const r = Math.random() * 16 | 0, v = c == 'x' ? r : (r & 0x3 | 0x8);
    return v.toString(16);
  });
}

function exportVariable(context, name, value){
  context.request.variables[name] = value
  return context
}

function verifyiBearerToken(context){
  debug(context, "Inside verifyToken")
  var options = {
    "body" : "token=" + context.authn.token + "&token_type_hint=access_token"
  }
  return context.request.subrequest("/_jwt_verify_request", options)
    .then(reply=>{
      if (reply.status === 200) {
        debug(context, reply.responseBody)
        var response = JSON.parse(reply.responseBody);
        if (response.active === true) {
          return response
        } else {
          throw new Error("Unauthorized")
        }
      } else {
        throw new Error("Unauthorized")
      }
    }).then(verified_token => {
      context.authn.verified_token =
        JSON.parse(Buffer.from(context.authn.token.split('.')[1], 'base64url').toString())
      return context
    })
}

function verifyGCubeToken(context){
  return context.request.subrequest("/_gcube_user_info")
    .then(reply=>{
      if (reply.status === 200) {
        debug(context, "[Social Service] got response " + reply.responseBody)
        var response = JSON.parse(reply.responseBody);
        return response
      } else {
        debug(context, "[Social Service] failed " + reply.status + ":" + reply.responseBody)
        throw new Error("Unauthorized")
      }
    }).then(response => {
      context.userinfo = response.result
      return context
    })
}