Skip to content

Commit c5f0222

Browse files
jason-foxjason-fox
committed
Remove Authzforce references
1 parent a384ec4 commit c5f0222

3 files changed

Lines changed: 18 additions & 28 deletions

File tree

app/controllers/iot/command-listener.js

Lines changed: 6 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,6 @@ const Security = require('../security');
1212
const CONTEXT_BROKER = process.env.CONTEXT_BROKER || 'http://localhost:1026/ngsi-ld/v1';
1313
const DEVICE_BROKER = process.env.DEVICE_BROKER || CONTEXT_BROKER;
1414
const NGSI_LD_TENANT = process.env.NGSI_LD_TENANT !== undefined ? process.env.NGSI_LD_TENANT : 'openiot';
15-
const AUTHZFORCE_ENABLED = process.env.AUTHZFORCE_ENABLED || false;
1615

1716
const port = process.env.WEB_APP_PORT || '3000';
1817
const devicesPort = process.env.DUMMY_DEVICES_PORT || 3001;
@@ -129,26 +128,16 @@ function sendCommand(req, res) {
129128
});
130129
}
131130

132-
// Ringing the bell and unlocking the door are restricted actions, everything else
133-
// can be done by any user. This is a simple access control function to ensure
134-
// only users who are authorized can do certain things.
131+
// Tractor commands (start/stop) require equipment-supervisor; water commands (on/off) require livestock-supervisor.
132+
// All other actions require authentication only.
133+
const SUPERVISED_ACTIONS = new Set(['start', 'stop', 'on', 'off']);
134+
135135
function accessControl(req, res, next) {
136136
debug('accessControl');
137137
const action = req.body.action;
138-
if (action === 'ring') {
139-
// LEVEL 2: BASIC AUTHORIZATION - Resources are accessible on a User/Verb/Resource basis
140-
// LEVEL 3: ADVANCED AUTHORIZATION - Resources are accessible on XACML Rules
141-
return AUTHZFORCE_ENABLED
142-
? Security.authorizeAdvancedXACML(req, res, next, '/bell/ring')
143-
: Security.authorizeBasicPDP(req, res, next, '/bell/ring');
144-
} else if (action === 'unlock') {
145-
// LEVEL 2: BASIC AUTHORIZATION - Resources are accessible on a User/Verb/Resource basis
146-
// LEVEL 3: ADVANCED AUTHORIZATION - Resources are accessible on XACML Rules
147-
return AUTHZFORCE_ENABLED
148-
? Security.authorizeAdvancedXACML(req, res, next, '/door/unlock')
149-
: Security.authorizeBasicPDP(req, res, next, '/door/unlock');
138+
if (SUPERVISED_ACTIONS.has(action)) {
139+
return Security.authorizeBasicPDP(req, res, next);
150140
}
151-
// LEVEL 1: AUTHENTICATION ONLY - Every user is authorized, just ensure the user exists.
152141
return Security.authenticate(req, res, next);
153142
}
154143

app/routes/index.js

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,6 @@ const TRANSPORT = process.env.DUMMY_DEVICES_TRANSPORT || 'HTTP';
3131
const DEVICE_PAYLOAD = process.env.DUMMY_DEVICES_PAYLOAD || 'ultralight';
3232
const SECURE_ENDPOINTS = process.env.SECURE_ENDPOINTS || false;
3333
const ENTITY_LIMIT = process.env.ENTITY_LIMIT || 200;
34-
//const AUTHZFORCE_ENABLED = process.env.AUTHZFORCE_ENABLED || false;
3534

3635
const NOTIFY_ATTRIBUTES = ['controlledAsset', 'type', 'filling', 'humidity', 'temperature'];
3736

@@ -174,11 +173,9 @@ router.get('/device/monitor', function (req, res) {
174173
});
175174

176175
// Access to IoT devices is secured by a Policy Decision Point (PDP).
177-
// LEVEL 1: AUTHENTICATION ONLY - For most actions, any user is authorized, just ensure the user exists.
178-
// LEVEL 2: BASIC AUTHORIZATION - Ringing the alarm bell and unlocking the Door are restricted to certain
179-
// users.
180-
// LEVEL 3: XACML AUTHORIZATION - Ringing the alarm bell and unlocking the Door are restricted via XACML
181-
// rules to certain users at certain times of day.
176+
// LEVEL 1: AUTHENTICATION ONLY - For most actions, any logged-in user is authorized.
177+
// LEVEL 2: BASIC AUTHORIZATION - Tractor (start/stop) and water (on/off) commands require a
178+
// supervisor role (equipment-supervisor or livestock-supervisor).
182179
router.post('/device/command', DeviceListener.accessControl, DeviceListener.sendCommand);
183180

184181
// Retrieve Device History from STH-Comet

app/views/device-monitor.pug

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -11,11 +11,15 @@ block content
1111

1212
- if (securityEnabled)
1313
p
14-
| A user must be logged in to activate devices, only security staff are able to  
15-
strong unlock
16-
|  doors and only security and managers can  
17-
strong ring
18-
|  the alarm bell.
14+
| A user must be logged in to activate devices, only equipment supervisors are able to  
15+
strong start
16+
|  and 
17+
strong stop
18+
|  tractors and only livestock supervisors can turn water sprinklers 
19+
strong on
20+
|  or 
21+
strong off
22+
| .
1923

2024

2125

0 commit comments

Comments
 (0)