Skip to content

Commit

Permalink
🔀 Merge pull request #171 from Lissy93/FEATURE/granular-access-165
Browse files Browse the repository at this point in the history
[FEATURE] Granular User Access
Fixes #165
  • Loading branch information
Lissy93 authored Aug 20, 2021
2 parents aa6081d + d0c7fef commit fa56446
Show file tree
Hide file tree
Showing 12 changed files with 165 additions and 21 deletions.
7 changes: 6 additions & 1 deletion .github/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
# Changelog

## ✨ 1.6.3 - Dependency and Build File Updates [PR #168](https://github.com/Lissy93/dashy/pull/168)
## ✨ 1.6.4 - Adds functionality for Granular Auth Control [PR #171](https://github.com/Lissy93/dashy/pull/171)
- Enables sections to be visible for all users except for those specified
- Enables sections to be hidden from all users except for those specified
- Enables sections to be hidden from guests, but visible to all authenticated users

## ⚡️ 1.6.3 - Dependency and Build File Updates [PR #168](https://github.com/Lissy93/dashy/pull/168)
- Removes any dependencies which are not 100% essential
- Moves packages that are only used for building into devDependencies
- Updates dependencies to latest version
Expand Down
27 changes: 27 additions & 0 deletions docs/authentication.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,33 @@ Once authentication is enabled, so long as there is no valid token in cookie sto
## Enabling Guest Access
With authentication setup, by default no access is allowed to your dashboard without first logging in with valid credentials. Guest mode can be enabled to allow for read-only access to a secured dashboard by any user, without the need to log in. A guest user cannot write any changes to the config file, but can apply modifications locally (stored in their browser). You can enable guest access, by setting `appConfig.enableGuestAccess: true`.

## Granular Access
You can use the following properties to make certain sections only visible to some users, or hide sections from guests.
- `hideForUsers` - Section will be visible to all users, except for those specified in this list
- `showForUsers` - Section will be hidden from all users, except for those specified in this list
- `hideForGuests` - Section will be visible for logged in users, but not for guests

For Example:

```yaml
- name: Code Analysis & Monitoring
icon: fas fa-code
displayData:
cols: 2
hideForUsers: [alicia, bob]
items:
...
```

```yaml
- name: Deployment Pipelines
icon: fas fa-rocket
displayData:
hideForGuests: true
items:
...
```

## Security
Since all authentication is happening entirely on the client-side, it is vulnerable to manipulation by an adversary. An attacker could look at the source code, find the function used generate the auth token, then decode the minified JavaScript to find the hash, and manually generate a token using it, then just insert that value as a cookie using the console, and become a logged in user. Therefore, if you need secure authentication for your app, it is strongly recommended to implement this using your web server, or use a VPN to control access to Dashy. The purpose of the login page is merely to prevent immediate unauthorized access to your homepage.

Expand Down
3 changes: 3 additions & 0 deletions docs/configuring.md
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,9 @@ To disallow any changes from being written to disk via the UI config editor, set
**`sectionLayout`** | `string` | _Optional_ | Specify which CSS layout will be used to responsivley place items. Can be either `auto` (which uses flex layout), or `grid`. If `grid` is selected, then `itemCountX` and `itemCountY` may also be set. Defaults to `auto`
**`itemCountX`** | `number` | _Optional_ | The number of items to display per row / horizontally. If not set, it will be calculated automatically based on available space. Can only be set if `sectionLayout` is set to `grid`. Must be a whole number between `1` and `12`
**`itemCountY`** | `number` | _Optional_ | The number of items to display per column / vertically. If not set, it will be calculated automatically based on available space. If `itemCountX` is set, then `itemCountY` can be calculated automatically. Can only be set if `sectionLayout` is set to `grid`. Must be a whole number between `1` and `12`
**`hideForUsers`** | `string[]` | _Optional_ | Current section will be visible to all users, except for those specified in this list
**`showForUsers`** | `string[]` | _Optional_ | Current section will be hidden from all users, except for those specified in this list
**`hideForGuests`** | `boolean` | _Optional_ | Current section will be visible for logged in users, but not for guests (see `appConfig.enableGuestAccess`). Defaults to `false`

**[⬆️ Back to Top](#configuring)**

Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "Dashy",
"version": "1.6.3",
"version": "1.6.4",
"license": "MIT",
"main": "server",
"scripts": {
Expand Down
2 changes: 1 addition & 1 deletion src/components/Configuration/JsonEditor.vue
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ export default {
methods: {
shouldAllowWriteToDisk() {
const { appConfig } = this.config;
return appConfig.allowConfigEdit !== false && isUserAdmin(appConfig.auth);
return appConfig.allowConfigEdit !== false && isUserAdmin();
},
save() {
if (this.saveMode === 'local' || !this.allowWriteToDisk) {
Expand Down
36 changes: 36 additions & 0 deletions src/components/LinkItems/ItemGroup.vue
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
:rows="displayData.rows"
:color="displayData.color"
:customStyles="displayData.customStyles"
v-if="isSectionVisibleToUser()"
>
<div v-if="!items || items.length < 1" class="no-items">
No Items to Show Yet
Expand Down Expand Up @@ -51,6 +52,7 @@
import Item from '@/components/LinkItems/Item.vue';
import Collapsable from '@/components/LinkItems/Collapsable.vue';
import IframeModal from '@/components/LinkItems/IframeModal.vue';
import { getCurrentUser, isLoggedInAsGuest } from '@/utils/Auth';
export default {
name: 'ItemGroup',
Expand Down Expand Up @@ -85,6 +87,9 @@ export default {
? `grid-template-rows: repeat(${this.displayData.itemCountY}, 1fr);` : '';
return styles;
},
currentUser() {
return getCurrentUser();
},
},
methods: {
/* Returns a unique lowercase string, based on name, for section ID */
Expand All @@ -95,9 +100,11 @@ export default {
triggerModal(url) {
this.$refs[`iframeModal-${this.groupId}`].show(url);
},
/* Emmit value upwards when iframe modal opened/ closed */
modalChanged(changedTo) {
this.$emit('change-modal-visibility', changedTo);
},
/* Determines if user has enabled online status checks */
shouldEnableStatusCheck(itemPreference) {
const globalPreference = this.config.appConfig.statusCheck || false;
return itemPreference !== undefined ? itemPreference : globalPreference;
Expand All @@ -109,6 +116,35 @@ export default {
if (interval < 1) interval = 0;
return interval;
},
/* Returns false if this section should not be rendered for the current user/ guest */
isSectionVisibleToUser() {
const determineVisibility = (visibilityList, currentUser) => {
let isFound = false;
visibilityList.forEach((userInList) => {
if (userInList.toLowerCase() === currentUser) isFound = true;
});
return isFound;
};
const checkVisiblity = () => {
if (!this.currentUser) return true;
const hideFor = this.displayData.hideForUsers || [];
const currentUser = this.currentUser.user.toLowerCase();
return !determineVisibility(hideFor, currentUser);
};
const checkHiddenability = () => {
if (!this.currentUser) return true;
const currentUser = this.currentUser.user.toLowerCase();
const showForUsers = this.displayData.showForUsers || [];
if (showForUsers.length < 1) return true;
return determineVisibility(showForUsers, currentUser);
};
const checkIfHideForGuest = () => {
const hideForGuest = this.displayData.hideForGuests;
const isGuest = isLoggedInAsGuest();
return !(hideForGuest && isGuest);
};
return checkVisiblity() && checkHiddenability() && checkIfHideForGuest();
},
},
};
</script>
Expand Down
2 changes: 1 addition & 1 deletion src/components/Settings/SettingsContainer.vue
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ export default {
* then they will never be able to view the homepage, so no button needed
*/
userState() {
return getUserState(this.appConfig || {});
return getUserState();
},
},
data() {
Expand Down
2 changes: 1 addition & 1 deletion src/router.js
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ const isGuestEnabled = () => {
/* Returns true if user is already authenticated, or if auth is not enabled */
const isAuthenticated = () => {
const users = config.appConfig.auth;
return (!users || users.length === 0 || isLoggedIn(users) || isGuestEnabled());
return (!users || users.length === 0 || isLoggedIn() || isGuestEnabled());
};

/* Get the users chosen starting view from app config, or return default */
Expand Down
72 changes: 60 additions & 12 deletions src/utils/Auth.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,19 @@
import sha256 from 'crypto-js/sha256';
import { cookieKeys, localStorageKeys, userStateEnum } from './defaults';
import ConfigAccumulator from '@/utils/ConfigAccumalator';
import { cookieKeys, localStorageKeys, userStateEnum } from '@/utils/defaults';

/* Uses config accumulator to get and return app config */
const getAppConfig = () => {
const Accumulator = new ConfigAccumulator();
const config = Accumulator.config();
return config.appConfig || {};
};

/* Returns the users array from appConfig, if available, else an empty array */
const getUsers = () => {
const appConfig = getAppConfig();
return appConfig.auth || [];
};

/**
* Generates a 1-way hash, in order to be stored in local storage for authentication
Expand All @@ -17,7 +31,8 @@ const generateUserToken = (user) => {
* @param {Array[Object]} users An array of user objects pulled from the config
* @returns {Boolean} Will return true if the user is logged in, else false
*/
export const isLoggedIn = (users) => {
export const isLoggedIn = () => {
const users = getUsers();
const validTokens = users.map((user) => generateUserToken(user));
let userAuthenticated = false;
document.cookie.split(';').forEach((cookie) => {
Expand All @@ -35,10 +50,16 @@ export const isLoggedIn = (users) => {
};

/* Returns true if authentication is enabled */
export const isAuthEnabled = (users) => (users && users.length > 0);
export const isAuthEnabled = () => {
const users = getUsers();
return (users.length > 0);
};

/* Returns true if guest access is enabled */
export const isGuestAccessEnabled = (appConfig) => appConfig.enableGuestAccess || false;
export const isGuestAccessEnabled = () => {
const appConfig = getAppConfig();
return appConfig.enableGuestAccess || false;
};

/**
* Checks credentials entered by the user against those in the config
Expand Down Expand Up @@ -92,6 +113,33 @@ export const logout = () => {
localStorage.removeItem(localStorageKeys.USERNAME);
};

/**
* If correctly logged in as a valid, authenticated user,
* then returns the user object for the current user
* If not logged in, will return false
* */
export const getCurrentUser = () => {
if (!isLoggedIn()) return false; // User not logged in
const username = localStorage[localStorageKeys.USERNAME]; // Get username
if (!username) return false; // No username
let foundUserObject = false; // Value to return
getUsers().forEach((user) => {
// If current logged in user found, then return that user
if (user.user === username) foundUserObject = user;
});
return foundUserObject;
};

/**
* Checks if the user is viewing the dashboard as a guest
* Returns true if guest mode enabled, and user not logged in
* */
export const isLoggedInAsGuest = () => {
const guestEnabled = isGuestAccessEnabled();
const notLoggedIn = !isLoggedIn();
return guestEnabled && notLoggedIn;
};

/**
* Checks if the current user has admin privileges.
* If no users are setup, then function will always return true
Expand All @@ -101,9 +149,10 @@ export const logout = () => {
* @param {String[]} - Array of users
* @returns {Boolean} - True if admin privileges
*/
export const isUserAdmin = (users) => {
if (!users || users.length === 0) return true; // Authentication not setup
if (!isLoggedIn(users)) return false; // Auth setup, but not signed in as a valid user
export const isUserAdmin = () => {
const users = getUsers();
if (users.length === 0) return true; // Authentication not setup
if (!isLoggedIn()) return false; // Auth setup, but not signed in as a valid user
const currentUser = localStorage[localStorageKeys.USERNAME];
let isAdmin = false;
users.forEach((user) => {
Expand All @@ -122,11 +171,10 @@ export const isUserAdmin = (users) => {
* Note that if auth is enabled, but not guest access, and user not logged in,
* then they will never be able to view the homepage, so no button needed
*/
export const getUserState = (appConfig) => {
export const getUserState = () => {
const { notConfigured, loggedIn, guestAccess } = userStateEnum; // Numeric enum options
const users = appConfig.auth || []; // Get auth object
if (!isAuthEnabled(users)) return notConfigured; // No auth enabled
if (isLoggedIn(users)) return loggedIn; // User is logged in
if (isGuestAccessEnabled(appConfig)) return guestAccess; // Guest is viewing
if (!isAuthEnabled()) return notConfigured; // No auth enabled
if (isLoggedIn()) return loggedIn; // User is logged in
if (isGuestAccessEnabled()) return guestAccess; // Guest is viewing
return notConfigured;
};
10 changes: 7 additions & 3 deletions src/utils/ConfigAccumalator.js
Original file line number Diff line number Diff line change
Expand Up @@ -24,21 +24,25 @@ export default class ConfigAccumulator {
/* App Config */
appConfig() {
let appConfigFile = {};
if (this.conf) {
appConfigFile = this.conf.appConfig || {};
}
// Set app config from file
if (this.conf) appConfigFile = this.conf.appConfig || {};
// Fill in defaults if anything missing
let usersAppConfig = defaultAppConfig;
if (localStorage[localStorageKeys.APP_CONFIG]) {
usersAppConfig = JSON.parse(localStorage[localStorageKeys.APP_CONFIG]);
} else if (appConfigFile !== {}) {
usersAppConfig = appConfigFile;
}
// Some settings have their own local storage keys, apply them here
usersAppConfig.layout = localStorage[localStorageKeys.LAYOUT_ORIENTATION]
|| appConfigFile.layout || defaultLayout;
usersAppConfig.iconSize = localStorage[localStorageKeys.ICON_SIZE]
|| appConfigFile.iconSize || defaultIconSize;
usersAppConfig.language = localStorage[localStorageKeys.LANGUAGE]
|| appConfigFile.language || defaultLanguage;
// Don't let users modify users locally
if (appConfigFile.auth) usersAppConfig.auth = appConfigFile.auth;
// All done, return final appConfig object
return usersAppConfig;
}

Expand Down
21 changes: 21 additions & 0 deletions src/utils/ConfigSchema.json
Original file line number Diff line number Diff line change
Expand Up @@ -369,6 +369,27 @@
"minimum": 1,
"maximum": 12,
"description": "Number of items per row"
},
"hideForUsers": {
"type": "array",
"description": "Section will be visible to all users, except for those specified in this list",
"items": {
"type": "string",
"description": "Username for the user that will not be able to view this section"
}
},
"showForUsers": {
"type": "array",
"description": "Section will be hidden from all users, except for those specified in this list",
"items": {
"type": "string",
"description": "Username for the user that will have access to this section"
}
},
"hideForGuests": {
"type": "boolean",
"default": false,
"description": "If set to true, section will be visible for logged in users, but not for guests"
}
}
},
Expand Down
2 changes: 1 addition & 1 deletion src/views/Login.vue
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ export default {
},
isUserAlreadyLoggedIn() {
const users = this.appConfig.auth;
const loggedIn = (!users || users.length === 0 || isLoggedIn(users));
const loggedIn = (!users || users.length === 0 || isLoggedIn());
return (loggedIn && this.existingUsername);
},
isGuestAccessEnabled() {
Expand Down

0 comments on commit fa56446

Please sign in to comment.