Add support for sudo and mu-auth-scope for queries

This is an extension to how the query and update functions work. It brings these functions a bit more in line with current use and could ease the path to using scopes instead of sudo where it's possible.
mu-semtech · Jan 3, 2024 · 56e185e · 56e185e
1 parent c2abd73
commit 56e185e
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -202,8 +202,8 @@ mu.app.get('/', function( req, res ) {
 ```
 
 The following helper functions are provided by the template
-  - `query(query) => Promise`: Function for sending queries to the triplestore
-  - `update(query) => Promise`: Function for sending updates to the triplestore
+  - `query(query, options) => Promise`: Function for sending queries to the triplestore.  Options is an object which may include `sudo` and `scope` keys.
+  - `update(query, options) => Promise`: Function for sending updates to the triplestore.  Options is an object which may include `sudo` and `scope` keys.
   - `uuid() => string`: Generates a random UUID (e.g. to construct new resource URIs)
 
 The following SPARQL escape helpers are provided to construct safe SPARQL query strings
@@ -254,6 +254,8 @@ The following environment variables can be configured:
   - `MAX_BODY_SIZE` (default: `100kb`): max size of the request body. See [ExpressJS documentation](https://expressjs.com/en/resources/middleware/body-parser.html#limit).
   - `HOST` (default: `0.0.0.0`): The hostname you want the service to bind to.
   - `PORT` (default: `80`): The port you want the service to bind to.
+  - `ALLOW_MU_AUTH_SUDO`: Allow sudo queries when the service requests it.
+  - `DEFAULT_MU_AUTH_SCOPE`: Default mu-auth-scope to use for calls.
 
 
 #### Mounting `/config`

diff --git a/helpers/mu/sparql.js b/helpers/mu/sparql.js
@@ -11,9 +11,23 @@ const DEBUG_AUTH_HEADERS = env.get('DEBUG_AUTH_HEADERS').asBool();
 //==-- logic --==//
 
 // builds a new sparqlClient
-function newSparqlClient() {
+function newSparqlClient(userOptions) {
   let options = { requestDefaults: { headers: { } } };
 
+  if (userOptions.sudo === true) {
+    if (env.get("ALLOW_MU_AUTH_SUDO").asBool()) {
+      options.requestDefaults.headers['mu-auth-sudo'] = "true";
+    } else {
+      throw "Error, sudo request but service lacks ALLOW_MU_AUTH_SUDO header";
+    }
+  }
+
+  if (userOptions.scope) {
+    options.requestDefaults.headers['mu-auth-scope'] = userOptions.scope;
+  } else if (process.env.DEFAULT_MU_AUTH_SCOPE) {
+    options.requestDefaults.headers['mu-auth-scope'] = process.env.DEFAULT_MU_AUTH_SCOPE;
+  }
+
   if (httpContext.get('request')) {
     options.requestDefaults.headers['mu-session-id'] = httpContext.get('request').get('mu-session-id');
     options.requestDefaults.headers['mu-call-id'] = httpContext.get('request').get('mu-call-id');
@@ -38,24 +52,25 @@ function newSparqlClient() {
 }
 
 // executes a query (you can use the template syntax)
-function query( queryString ) {
+function query( queryString, options ) {
   if (LOG_SPARQL_QUERIES) {
     console.log(queryString);
   }
-  return executeQuery(queryString);
+  return executeQuery(queryString, options);
 };
 
 // executes an update query
-function update( queryString ) {
+function update( queryString, options ) {
   if (LOG_SPARQL_UPDATES) {
     console.log(queryString);
   }
-  return executeQuery(queryString);
+  return executeQuery(queryString, options);
 };
 
-function executeQuery( queryString ) {
-  return newSparqlClient().query(queryString).executeRaw().then(response => {
+function executeQuery( queryString, options ) {
+  return newSparqlClient(options || {}).query(queryString).executeRaw().then(response => {
     const temp = httpContext;
+
     if (httpContext.get('response') && !httpContext.get('response').headersSent) {
       // set mu-auth-allowed-groups on outgoing response
       const allowedGroups = response.headers['mu-auth-allowed-groups'];