Merge pull request #2162 from kuzzleio/2.14.8-proposal

Release 2.14.8
kuzzleio · Oct 22, 2021 · df640d9 · df640d9
2 parents 898e6f6 + 524b279
commit df640d9
Show file tree

Hide file tree

Showing 32 changed files with 319 additions and 92 deletions.
diff --git a/.github/actions/cache-node-modules/action.yml b/.github/actions/cache-node-modules/action.yml
@@ -0,0 +1,22 @@
+name: Cache Node Modules
+description: Cache Node Modules
+
+inputs:
+  NODE_VERSION:
+    description: node version
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Cache node modules
+      uses: actions/cache@v2
+      env:
+        cache-name: cache-node-modules
+      with:
+        path: node_modules
+        key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ inputs.NODE_VERSION }}-${{ hashFiles('package-lock.json') }}
+        restore-keys: |
+          ${{ runner.os }}-build-${{ env.cache-name }}-${{ inputs.NODE_VERSION }}-${{ hashFiles('package-lock.json') }}
+
+
diff --git a/.github/actions/functional-tests/action.yml b/.github/actions/functional-tests/action.yml
@@ -18,5 +18,4 @@ runs:
       env:
         KUZZLE_FUNCTIONAL_TESTS: ${{ inputs.test-set }}
         NODE_VERSION: ${{ inputs.node-version }}
-        REBUILD: "true"
       shell: bash
diff --git a/.github/actions/unit-tests/action.yml b/.github/actions/unit-tests/action.yml
@@ -6,8 +6,6 @@ runs:
   steps:
     - run: npm install
       shell: bash
-    - run: npm rebuild
-      shell: bash
     - run: npm run build
       shell: bash
     - run: npm run test:unit:coverage

diff --git a/.github/workflows/pull_request.workflow.yml b/.github/workflows/pull_request.workflow.yml
@@ -11,6 +11,9 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: ${{ matrix.node-version }}
+      - uses: ./.github/actions/cache-node-modules
+        with:
+          NODE_VERSION: ${{ matrix.node-version }}
       - uses: ./.github/actions/es-lint
 
   unit-tests:
@@ -25,6 +28,9 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: ${{ matrix.node-version }}
+      - uses: ./.github/actions/cache-node-modules
+        with:
+          NODE_VERSION: ${{ matrix.node-version }}
       - uses: ./.github/actions/unit-tests
 
   functional-tests-legacy:
@@ -40,6 +46,9 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: ${{ matrix.node-version }}
+      - uses: ./.github/actions/cache-node-modules
+        with:
+          NODE_VERSION: ${{ matrix.node-version }}
       - uses: ./.github/actions/functional-tests
         with:
           test-set: test:functional:legacy:${{ matrix.test_set }}
@@ -58,6 +67,9 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: ${{ matrix.node-version }}
+      - uses: ./.github/actions/cache-node-modules
+        with:
+          NODE_VERSION: ${{ matrix.node-version }}
       - uses: ./.github/actions/functional-tests
         with:
           test-set: test:functional:${{ matrix.test_set }}
@@ -89,6 +101,9 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: ${{ matrix.node-version }}
+      - uses: ./.github/actions/cache-node-modules
+        with:
+          NODE_VERSION: ${{ matrix.node-version }}
       - uses: ./.github/actions/monkey-tests
         with:
           node-version: ${{ matrix.node-version }}
diff --git a/.github/workflows/push_dev.workflow.yml b/.github/workflows/push_dev.workflow.yml
@@ -14,6 +14,9 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: ${{ matrix.node-version }}
+      - uses: ./.github/actions/cache-node-modules
+        with:
+          NODE_VERSION: ${{ matrix.node-version }}
       - uses: ./.github/actions/es-lint
 
   unit-tests:
@@ -28,6 +31,9 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: ${{ matrix.node-version }}
+      - uses: ./.github/actions/cache-node-modules
+        with:
+          NODE_VERSION: ${{ matrix.node-version }}
       - uses: ./.github/actions/unit-tests
 
   functional-tests-legacy:
@@ -43,6 +49,9 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: ${{ matrix.node-version }}
+      - uses: ./.github/actions/cache-node-modules
+        with:
+          NODE_VERSION: ${{ matrix.node-version }}
       - uses: ./.github/actions/functional-tests
         with:
           test-set: test:functional:legacy:${{ matrix.test_set }}
@@ -61,6 +70,9 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: ${{ matrix.node-version }}
+      - uses: ./.github/actions/cache-node-modules
+        with:
+          NODE_VERSION: ${{ matrix.node-version }}
       - uses: ./.github/actions/functional-tests
         with:
           test-set: test:functional:${{ matrix.test_set }}
@@ -83,6 +95,9 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: ${{ matrix.node-version }}
+      - uses: ./.github/actions/cache-node-modules
+        with:
+          NODE_VERSION: ${{ matrix.node-version }}
       - uses: ./.github/actions/monkey-tests
         with:
           node-version: ${{ matrix.node-version }}
@@ -105,6 +120,9 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: ${{ matrix.node-version }}
+      - uses: ./.github/actions/cache-node-modules
+        with:
+          NODE_VERSION: ${{ matrix.node-version }}
       - uses: ./.github/actions/deploy-doc
         with:
           REGION: us-west-2

diff --git a/.github/workflows/push_master.workflow.yml b/.github/workflows/push_master.workflow.yml
@@ -14,6 +14,9 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: ${{ matrix.node-version }}
+      - uses: ./.github/actions/cache-node-modules
+        with:
+          NODE_VERSION: ${{ matrix.node-version }}
       - uses: ./.github/actions/es-lint
 
   unit-tests:
@@ -28,6 +31,9 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: ${{ matrix.node-version }}
+      - uses: ./.github/actions/cache-node-modules
+        with:
+          NODE_VERSION: ${{ matrix.node-version }}
       - uses: ./.github/actions/unit-tests
 
   functional-tests-legacy:
@@ -43,6 +49,9 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: ${{ matrix.node-version }}
+      - uses: ./.github/actions/cache-node-modules
+        with:
+          NODE_VERSION: ${{ matrix.node-version }}
       - uses: ./.github/actions/functional-tests
         with:
           test-set: test:functional:legacy:${{ matrix.test_set }}
@@ -61,6 +70,9 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: ${{ matrix.node-version }}
+      - uses: ./.github/actions/cache-node-modules
+        with:
+          NODE_VERSION: ${{ matrix.node-version }}
       - uses: ./.github/actions/functional-tests
         with:
           test-set: test:functional:${{ matrix.test_set }}
@@ -83,6 +95,9 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: ${{ matrix.node-version }}
+      - uses: ./.github/actions/cache-node-modules
+        with:
+          NODE_VERSION: ${{ matrix.node-version }}
       - uses: ./.github/actions/monkey-tests
         with:
           node-version: ${{ matrix.node-version }}

diff --git a/.kuzzlerc.sample b/.kuzzlerc.sample
@@ -105,6 +105,11 @@
   // (see https://docs.kuzzle.io/core/2/guides/write-plugins)
   "plugins": {
     // [Common]
+    //   * failsafeMode
+    //        If true, Kuzzle will not load custom plugin and features (including
+    //        the ones defined in the application).
+    //        The API will only be available to administrators ("admin" profile)
+    //        during failsafe mode.
     //   * bootstrapLockTimeout
     //        Maximum amount of time (in milliseconds)
     //        to wait for a concurrent plugin bootstrap
@@ -131,6 +136,7 @@
     //        Maximum number of pipes that can be delayed. If full, new pipes
     //        are rejected.
     "common": {
+      "failsafeMode": false,
       "bootstrapLockTimeout": 30000,
       "pipeWarnTime": 40,
       "initTimeout": 2000,

diff --git a/doc/2/api/errors/error-codes/api/index.md b/doc/2/api/errors/error-codes/api/index.md
@@ -50,5 +50,6 @@ description: Error codes definitions
 | api.process.incomplete_multiple_request<br/><pre>0x0202000a</pre>  | [MultipleErrorsError](/core/2/api/errors/error-codes#multipleerrorserror) <pre>(400)</pre> | At least one of the %s actions failed. | Failed to execute some or all actions requested |
 | api.process.not_enough_nodes<br/><pre>0x0202000b</pre>  | [ServiceUnavailableError](/core/2/api/errors/error-codes#serviceunavailableerror) <pre>(503)</pre> | Rejected: this cluster is disabled because there aren't enough nodes connected. | The Kuzzle cluster has not enough nodes available, and no new requests can be processed until new nodes are added |
 | api.process.unauthorized_origin<br/><pre>0x0202000c</pre>  | [UnauthorizedError](/core/2/api/errors/error-codes#unauthorizederror) <pre>(401)</pre> | The origin "%s" is not authorized. | The domain reaching out to Kuzzle is not authorized |
+| api.process.too_many_logins_requests<br/><pre>0x0202000d</pre>  | [TooManyRequestsError](/core/2/api/errors/error-codes#toomanyrequestserror) <pre>(429)</pre> | Rejected: Too many login attempts per second | The request was denied because the maximum ("limits.loginsPerSecond") number of login attempts per second has been exceeded. |
 
 ---
diff --git a/doc/2/api/errors/error-codes/plugin/index.md b/doc/2/api/errors/error-codes/plugin/index.md
@@ -39,7 +39,7 @@ description: Error codes definitions
 
 | id / code | class / status | message | description |
 | --------- | -------------- | --------| ----------- |
-| plugin.runtime.failed_init<br/><pre>0x04020001</pre>  | [PluginImplementationError](/core/2/api/errors/error-codes#pluginimplementationerror) <pre>(500)</pre> | Something went wrong during initialization of "%s" plugin. | An exception was thrown by a plugin's init function |
+| plugin.runtime.failed_init<br/><pre>0x04020001</pre>  | [PluginImplementationError](/core/2/api/errors/error-codes#pluginimplementationerror) <pre>(500)</pre> | Something went wrong during initialization of "%s" plugin. Set "plugins.common.failsafeMode" to true to bypass plugin initialization. | An exception was thrown by a plugin's init function |
 | plugin.runtime.unexpected_error<br/><pre>0x04020002</pre>  | [PluginImplementationError](/core/2/api/errors/error-codes#pluginimplementationerror) <pre>(500)</pre> | Caught an unexpected plugin error: %s | Embeds an unexpected plugin error into a standardized KuzzleError object |
 | plugin.runtime.pipe_timeout<br/><pre>0x04020003</pre> <DeprecatedBadge version="2.2.0"/> | [GatewayTimeoutError](/core/2/api/errors/error-codes#gatewaytimeouterror) <pre>(504)</pre> | Plugin "%s": timeout error. A pipe on the event "%s" exceeded the timeout delay (%sms). Aborting. | A pipe function execution took more than the configured server limit |
 | plugin.runtime.too_many_pipes<br/><pre>0x04020004</pre>  | [ServiceUnavailableError](/core/2/api/errors/error-codes#serviceunavailableerror) <pre>(503)</pre> | Request discarded: maximum number of executing pipe functions reached. | The number of running pipes exceeds the configured capacity (see configuration files). This may be caused by pipes being too slow, or by an insufficient number of Kuzzle nodes. |

diff --git a/doc/2/api/errors/error-codes/security/index.md b/doc/2/api/errors/error-codes/security/index.md
@@ -45,6 +45,7 @@ description: Error codes definitions
 | --------- | -------------- | --------| ----------- |
 | security.rights.unauthorized<br/><pre>0x07030001</pre>  | [UnauthorizedError](/core/2/api/errors/error-codes#unauthorizederror) <pre>(401)</pre> | Unauthorized: authentication required to execute the action "%s:%s". | Authentication required to execute this action |
 | security.rights.forbidden<br/><pre>0x07030002</pre>  | [ForbiddenError](/core/2/api/errors/error-codes#forbiddenerror) <pre>(403)</pre> | Insufficient permissions to execute the action "%s:%s" (User "%s"). | Insufficient permissions to execute this action |
+| security.rights.failsafe_mode_admin_only<br/><pre>0x07030003</pre>  | [ForbiddenError](/core/2/api/errors/error-codes#forbiddenerror) <pre>(403)</pre> | Only administrators ("admin" profile) can use the API in failsafe mode. | Only administrators ("admin" profile) can use the API in failsafe mode. Authenticate as admin or reboot without failsafe mode ("config.plugins.common.failsafeMode") to access the API. |
 
 ---
 

diff --git a/features-legacy/support/api/mqtt.js b/features-legacy/support/api/mqtt.js
@@ -120,6 +120,9 @@ class MqttApi extends ApiBase {
           }
         }
         else {
+          if (message.type === 'TokenExpired') {
+            this.responses = message;
+          }
           // notification
           const channel = topic;
           const roomId = topic.split('-')[0];

diff --git a/features-legacy/support/api/websocket.js b/features-legacy/support/api/websocket.js
@@ -35,6 +35,9 @@ class WebSocketApi extends WsApiBase {
         const data = JSON.parse(message);
 
         if (data.scope || data.type === 'user' || data.type === 'TokenExpired') {
+          if (data.type === 'TokenExpired') {
+            this.responses = data;
+          }
           // notification
           const channel = data.room;
           const roomId = channel.split('-')[0];

diff --git a/lib/api/funnel.js b/lib/api/funnel.js
@@ -50,6 +50,10 @@ const debug = require('../util/debug')('kuzzle:funnel');
 const processError = kerror.wrap('api', 'process');
 const { has } = require('../util/safeObject');
 
+// Actions of the auth controller that does not necessite to verify the token
+// when cookie auth is active
+const SKIP_TOKEN_VERIF_ACTIONS = ['login', 'checkToken', 'logout'];
+
 /**
  * @class PendingRequest
  * @param {Request} request
@@ -303,6 +307,9 @@ class Funnel {
                 })
                 .then(allowed => {
                   if (!allowed) {
+                    if (request.input.controller === 'auth' && request.input.action === 'login') {
+                      throw processError.get('too_many_logins_requests');
+                    }
                     throw processError.get('too_many_requests');
                   }
 
@@ -439,18 +446,18 @@ class Funnel {
 
         skipTokenVerification = request.getBoolean('cookieAuth')
           && request.input.controller === 'auth'
-          && ( request.input.action === 'login'
-            || request.input.action === 'checkToken'
-            || request.input.action === 'logout'
-          );
+          && SKIP_TOKEN_VERIF_ACTIONS.includes(request.input.action);
       }
     }
 
     try {
-      // If the verification should be skipped, we pass a null token, this way the verification will be made as anonymous
+      // If the verification should be skipped, we pass a null token,
+      // this way the verification will be made as anonymous
+      const token = skipTokenVerification ? null : request.input.jwt;
+
       request.context.token = await global.kuzzle.ask(
         'core:security:token:verify',
-        !skipTokenVerification && request.input.jwt || null);
+        token);
     }
     catch (error) {
       await global.kuzzle.pipe('request:onUnauthorized', request);
@@ -487,9 +494,21 @@ class Funnel {
       throw error;
     }
 
+    if ( global.kuzzle.config.plugins.common.failsafeMode
+      && ! this._isLogin(request)
+      && ! request.context.user.profileIds.includes('admin')
+    ) {
+      await global.kuzzle.pipe('request:onUnauthorized', request);
+      throw kerror.get('security', 'rights', 'failsafe_mode_admin_only');
+    }
+
     return global.kuzzle.pipe('request:onAuthorized', request);
   }
 
+  _isLogin (request) {
+    return request.input.controller === 'auth' && request.input.action === 'login';
+  }
+
   /**
    * Executes the request immediately.
    * /!\ To be used only by methods having already passed the overload check.