Access on Janik von Rotz https://janikvonrotz.ch/tags/access/ Recent content in Access on Janik von Rotz Hugo en Fri, 12 May 2017 09:46:48 +0000 The most simple access control for your Meteor React app https://janikvonrotz.ch/2017/05/12/the-most-simple-access-control-for-your-meteor-react-app/ Fri, 12 May 2017 09:46:48 +0000 https://janikvonrotz.ch/2017/05/12/the-most-simple-access-control-for-your-meteor-react-app/ <p>For my last Meteor React app I&rsquo;ve designed the most simple role based access control. The basic idea is that users can have multiple roles and every action possible is only allowed by a specified set of roles. For my Meteor React app the following scenarios were considered:</p> <p>Only users with specific roles are allowed to&hellip;</p> <ul> <li>call a Meteor method.</li> <li>subscribe to a publication.</li> <li>display React components in the UI.</li> </ul> <p>To solve this problem a role based access control (RBAC) has been implemented:</p> <p>user -&gt; roles -&gt; action -&gt; permission for publication / method / component</p> <p>Now you might miss the url access control as a scenario, why did I ignore it? Well, the answer is simple, a user won&rsquo;t access what he can&rsquo;t see. As long as we hide buttons and links which might lead to a restricted view and control access on the data layer properly, there&rsquo;s no need to have access control for urls.</p> <p><strong>/imports/helpers/config.js</strong></p> <p>The config file merges the access control list (acl) and Meteor settings. For every possible action a set of roles is defined.</p> <pre tabindex="0"><code>import { Meteor } from &#39;meteor/meteor&#39; import { objectAssign } from &#39;./index&#39; let acl = { // routers permissions &#39;routers.read&#39;: [ &#39;admin&#39;, &#39;spec&#39;, &#39;tech&#39;, &#39;user&#39; ], &#39;routers.insert&#39;: [ &#39;admin&#39;, &#39;spec&#39;, &#39;tech&#39; ], &#39;routers.update&#39;: [ &#39;admin&#39;, &#39;spec&#39;, &#39;tech&#39; ], &#39;routers.remove&#39;: [ &#39;admin&#39;, &#39;spec&#39; ], &#39;routers.restore&#39;: [ &#39;admin&#39; , &#39;spec&#39; ], &#39;routers.export&#39;: [ &#39;admin&#39;, &#39;spec&#39; ], // notification permissions &#39;notifications.read&#39;: [ &#39;admin&#39;, &#39;spec&#39;, &#39;tech&#39; ], &#39;notifications.receive&#39;: [ &#39;admin&#39;, &#39;spec&#39;, &#39;tech&#39; ], &#39;notifications.insert&#39;: [ &#39;admin&#39;, &#39;spec&#39;, &#39;tech&#39; ], &#39;notifications.remove&#39;: [ &#39;admin&#39;, &#39;spec&#39;, &#39;tech&#39; ], &#39;notifications.export&#39;: [ &#39;admin&#39;, &#39;spec&#39; ], } export default objectAssign(Meteor.settings.private, Meteor.settings.public, { acl: acl }) </code></pre><p>Of course you could create a collection to store the acl and make the permission model dynamic.</p> <p><strong>/imports/helpers/isAllowed.js</strong></p> <p>This is the only function required to check the users permission.</p> <pre tabindex="0"><code>import { config } from &#39;./index&#39; export default (action, roles) =&gt; { let allowed = false let allowedRoles = config.acl[action] roles = roles != null ? roles : [] roles.map((role) =&gt; { allowed = allowedRoles.indexOf(role) != -1 }) return allowed } </code></pre><p>Simple isn&rsquo;t it?</p> <p><strong>/server/methods/routers.js</strong></p> <p>This example shows how the permission is checked in a Meteor method.</p> <pre tabindex="0"><code>... import { isAllowed } from &#39;/imports/helpers&#39; export default () =&gt; { Meteor.methods({ &#39;routers.insert&#39;(object) { check(object, Object) // check permissions let roles = Meteor.userId() ? Meteor.user().roles : null if (!isAllowed(&#39;routers.insert&#39;, roles)) { throw new Meteor.Error(i18n.error.insufficent_rights, i18n.message.insufficent_rights_for_method) } // insert object ... </code></pre><p>Make sure the permission check is the first thing done when the method is executed.</p> <p><strong>/server/publication/router.js</strong></p> <p>Now we restrict access on the data access layer.</p> <pre tabindex="0"><code>... import { isAllowed } from &#39;/imports/helpers&#39; export default () =&gt; { Meteor.publish(&#39;routers.list&#39;, function(selector = {}) { // check permissions let user = Meteor.users.findOne(this.userId) let roles = user ? user.roles : null if (isAllowed(&#39;routers.read&#39;, roles)) { return Routers.find(selector) } else { this.stop() return } }) ... </code></pre><p>The user roles are accessible using <code>this.user</code> in a publication.</p> <p><strong>client/routers/Router.js</strong></p> <p>Finally you can restrict the visibility of React components quite easily.</p> <pre tabindex="0"><code>... import { isAllowed } from &#39;/imports/helpers&#39; class Router extends React.Component { ... render() { let { loading, user, i18n } = this.props return loading ? &lt;CircularProgress /&gt; : &lt;Card&gt; ... { isAllowed(&#39;routers.update&#39;, user ? user.roles : null) ? &lt;RaisedButton type=&#34;submit&#34; label={ i18n.button.update } primary={ true } /&gt; : null } { isAllowed(&#39;routers.remove&#39;, user ? user.roles : null) ? &lt;RaisedButton onTouchTap={ this.toggleDialog.bind(this, &#39;openRemoveDialog&#39;) } label={ i18n.button.remove } secondary={ true } /&gt; : null } ... &lt;/Card&gt; } } export default Router </code></pre><p>As you can see the <code>isAllowed</code> function is used for all scenarios.</p> <p><a href="https://janikvonrotz.ch/wp-content/uploads/2017/05/Meteor-React-component-access-control.gif"><img src="https://janikvonrotz.ch/wp-content/uploads/2017/05/Meteor-React-component-access-control.gif" alt="Untitled"></a></p> <p>Do you like this solution? Leave a comment and tell my more.</p> Manage access rights to the Office365 portal https://janikvonrotz.ch/2013/09/30/manage-the-access-rights-to-the-office365-portal/ Mon, 30 Sep 2013 14:24:08 +0000 https://janikvonrotz.ch/2013/09/30/manage-the-access-rights-to-the-office365-portal/ <p>In addition to my last script showing how to manage the user licenses in Office365 I&rsquo;ve written a new script for assign, remove or replace the access rights in the office365 portal.</p> <p>The script has the same structure as the license management script, feel free as always to copy and alter this script or asking me questions about it.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#75715e">&lt;# </span></span></span><span style="display:flex;"><span><span style="color:#75715e">$Metadata = @{ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Title = &#34;Set Office365 User Rights&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Filename = &#34;Set-O365UserRights.ps1&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Description = @&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e">Manage Office365 portal access rights with ActiveDirectory groups. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">Assign Administration roles to the members of specified AD groups or by a users userprincipalname. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#34;@ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Tags = &#34;powershell, activedirectory, office365, user, rights&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Project = &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Author = &#34;Janik von Rotz&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> AuthorContact = &#34;https://janikvonrotz.ch&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> CreateDate = &#34;2013-08-13&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> LastEditDate = &#34;2013-09-26&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Url = &#34;https://gist.github.com/janikvonrotz/6218401&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> Version = &#34;3.0.0&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> License = @&#39; </span></span></span><span style="display:flex;"><span><span style="color:#75715e">This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Switzerland License. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/3.0/ch/ or </span></span></span><span style="display:flex;"><span><span style="color:#75715e">send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#39;@ </span></span></span><span style="display:flex;"><span><span style="color:#75715e">} </span></span></span><span style="display:flex;"><span><span style="color:#75715e">#&gt;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">try</span>{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># settings</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $MsolRoleConfig = @{ </span></span><span style="display:flex;"><span> ADGroup = <span style="color:#e6db74">&#34;S-1-5-21-1744926098-708661255-2033415169-37011&#34;</span> <span style="color:#75715e"># O365F_Billing Administrator</span> </span></span><span style="display:flex;"><span> MsolRoleName = <span style="color:#e6db74">&#34;Billing Administrator&#34;</span> <span style="color:#75715e"># Get-MsolRole</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> @{ </span></span><span style="display:flex;"><span> User = <span style="color:#e6db74">&#34;admin@vbluzern.onmicrosoft.com&#34;</span> <span style="color:#75715e"># O365F_Billing Administrator</span> </span></span><span style="display:flex;"><span> MsolRoleName = <span style="color:#e6db74">&#34;Company Administrator&#34;</span> <span style="color:#75715e"># Get-MsolRole</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># modules</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> Import-Module MSOnline </span></span><span style="display:flex;"><span> Import-Module MSOnlineExtended </span></span><span style="display:flex;"><span> Import-Module ActiveDirectory </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># main</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">#--------------------------------------------------#</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># import credentials</span> </span></span><span style="display:flex;"><span> $Credential = Import-PSCredential $(Get-ChildItem -Path $PSconfigs.Path -Filter <span style="color:#e6db74">&#34;Office365.credentials.config.xml&#34;</span> -Recurse).FullName </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># connect to office365</span> </span></span><span style="display:flex;"><span> Connect-MsolService -Credential $Credential </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $UserAndMsolRole = @( </span></span><span style="display:flex;"><span> ($MsolRoleConfig | where{$_.ADGroup <span style="color:#f92672">-ne</span> $null} | %{$MsolRole = $_.MsolRoleName; $MsolRole = (Get-MsolRole | where{$_.Name <span style="color:#f92672">-eq</span> $MsolRole}); Get-ADGroupMember $_.ADGroup -Recursive |Get-ADUser | select UserPrincipalName, @{Name = <span style="color:#e6db74">&#34;MsolRole&#34;</span>; Expression={$MsolRole}}}), </span></span><span style="display:flex;"><span> ($MsolRoleConfig | where{$_.User <span style="color:#f92672">-ne</span> $null}| %{$MsolRole = $_.MsolRoleName; $_ | select @{L = <span style="color:#e6db74">&#34;UserPrincipalName&#34;</span>; E = {$_.User}},@{L = <span style="color:#e6db74">&#34;MsolRole&#34;</span>; E = {Get-MsolRole | where{$_.Name <span style="color:#f92672">-eq</span> $MsolRole}}}}) </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $MsolRoleMembers = Get-MsolRole | %{$MsolRole = $_; Get-MsolRoleMember -RoleObjectId $_.ObjectID -MemberObjectTypes User | where{$_.isLicensed} | select @{L = <span style="color:#e6db74">&#34;UserPrincipalName&#34;</span>; E = {$_.EmailAddress}},@{L = <span style="color:#e6db74">&#34;MsolRole&#34;</span>; E = {$MsolRole}}} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> (Get-MsolUser -All) | %{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $MsolUser = $_ </span></span><span style="display:flex;"><span> $AlreadyAssigned = $MsolRoleMembers | where{$_.UserPrincipalName <span style="color:#f92672">-eq</span> $MsolUser.UserPrincipalName} </span></span><span style="display:flex;"><span> $ToAssign = $UserAndMsolRole | where{$_.UserPrincipalName <span style="color:#f92672">-eq</span> $MsolUser.UserPrincipalName} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>($AlreadyAssigned){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>(($ToAssign) <span style="color:#f92672">-and</span> ($AlreadyAssigned.MsolRole.ObjectId <span style="color:#f92672">-ne</span> $ToAssign.MsolRole.ObjectId)){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Replace role: </span>$($AlreadyAssigned.MsolRole.Name)<span style="color:#e6db74"> with: </span>$($ToAssign.MsolRole.Name)<span style="color:#e6db74"> for: </span>$($MsolUser.UserPrincipalName)<span style="color:#e6db74">.&#34;</span> </span></span><span style="display:flex;"><span> Remove-MsolRoleMember -RoleMemberEmailAddress $MsolUser.UserPrincipalName -RoleMemberType User -RoleName $AlreadyAssigned.MsolRole.Name </span></span><span style="display:flex;"><span> Add-MsolRoleMember -RoleMemberEmailAddress $MsolUser.UserPrincipalName -RoleMemberType User -RoleName $ToAssign.MsolRole.Name </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">elseif</span>($ToAssign <span style="color:#f92672">-eq</span> $null){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Remove role: </span>$($AlreadyAssigned.MsolRole.Name)<span style="color:#e6db74"> for: </span>$($MsolUser.UserPrincipalName)<span style="color:#e6db74">.&#34;</span> </span></span><span style="display:flex;"><span> Remove-MsolRoleMember -RoleMemberEmailAddress $MsolUser.UserPrincipalName -RoleMemberType User -RoleName $AlreadyAssigned.MsolRole.Name </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">else</span>{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Role: </span>$($AlreadyAssigned.MsolRole.Name)<span style="color:#e6db74"> for: </span>$($MsolUser.UserPrincipalName)<span style="color:#e6db74"> is already assigned.&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">elseif</span>($ToAssign <span style="color:#f92672">-and</span> $MsolUser.IsLicensed){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Write-Host <span style="color:#e6db74">&#34;Assign role: </span>$($ToAssign.MsolRole.Name)<span style="color:#e6db74"> for: </span>$($MsolUser.UserPrincipalName)<span style="color:#e6db74">.&#34;</span> </span></span><span style="display:flex;"><span> Add-MsolRoleMember -RoleMemberEmailAddress $MsolUser.UserPrincipalName -RoleMemberType User -RoleName $ToAssign.MsolRole.Name </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">elseif</span>($ToAssign){ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">throw</span> <span style="color:#e6db74">&#34;Not possible to assign role: </span>$($ToAssign.MsolRole.Name)<span style="color:#e6db74"> user: </span>$($MsolUser.UserPrincipalName)<span style="color:#e6db74"> has to be licensed.&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>}<span style="color:#66d9ef">catch</span>{ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Send-PPErrorReport -FileName <span style="color:#e6db74">&#34;DirSync.mail.config.xml&#34;</span> -ScriptName $MyInvocation.InvocationName </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>}``` </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>[https<span style="color:#960050;background-color:#1e0010">:</span>//gist.github.com/janikvonrotz/<span style="color:#ae81ff">6763616</span>](https<span style="color:#960050;background-color:#1e0010">:</span>//gist.github.com/janikvonrotz/<span style="color:#ae81ff">6763616</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>&lt;h1&gt;Requirements&lt;/h1&gt; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>&lt;ul&gt; </span></span><span style="display:flex;"><span> &lt;li&gt;&lt;a href=<span style="color:#e6db74">&#34;https://codeberg.org/janikvonrotz/Powershell-Profile&#34;</span>&gt;Powershell-Profile&lt;/a&gt;&lt;/li&gt; </span></span><span style="display:flex;"><span> &lt;li&gt;Office365 with ADFS and DirSync&lt;/li&gt; </span></span><span style="display:flex;"><span>&lt;/ul&gt; </span></span></code></pre></div>