How to use taskcluster-lib-scopes - 10 common examples
To help you get started, we’ve selected a few taskcluster-lib-scopes examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
taskcluster / taskcluster / services / auth / src / signaturevalidator.js View on Github 
throw new Error('ext.certificate cannot last longer than 31 days!');
}
// Check clientId validity
if (issuingClientId !== credentialName) {
let createScope = 'auth:create-client:' + credentialName;
if (!utils.satisfiesExpression(issuingScopes, createScope)) {
throw new Error('ext.certificate issuer `' + issuingClientId +
'` doesn\'t have `' + createScope + '` for supplied clientId.');
}
} else if ('clientId' in cert) {
throw new Error('ext.certificate.clientId must only be used with ext.certificate.issuer');
}
// Validate certificate scopes are subset of client
if (!utils.satisfiesExpression(scopes, {AllOf: cert.scopes})) {
throw new Error('ext.certificate issuer `' + issuingClientId +
'` doesn\'t satisfy all certificate scopes ' +
cert.scopes.join(', ') + '. The temporary ' +
'credentials were not generated correctly.');
}
// Generate certificate signature
let sigContent = [];
sigContent.push('version:' + '1');
if (cert.issuer) {
sigContent.push('clientId:' + credentialName);
sigContent.push('issuer:' + cert.issuer);
}
sigContent.push('seed:' + cert.seed);
sigContent.push('start:' + cert.start);
sigContent.push('expiry:' + cert.expiry);res.scopes = scopes = expandScopes(cert.scopes);
}
// Handle scope restriction with authorizedScopes
if (ext.authorizedScopes) {
// Validate input format
if (!(ext.authorizedScopes instanceof Array)) {
throw new Error('ext.authorizedScopes must be an array');
}
if (!ext.authorizedScopes.every(utils.validScope)) {
throw new Error('ext.authorizedScopes must be an array of valid scopes');
}
// Validate authorizedScopes scopes are satisfied by client (or temp) scopes
if (!utils.satisfiesExpression(res.scopes, {AllOf: ext.authorizedScopes})) {
throw new Error([
'Supplied credentials do not satisfy authorizedScopes; credentials have scopes:',
'',
'```',
res.scopes.join('\n'),
'```',
'',
'authorizedScopes are:',
'',
'```',
ext.authorizedScopes.join('\n'),
'```',
].join('\n'));
}
// Further limit scopeslet now = new Date().getTime();
if (cert.start > now + 5 * 60 * 1000) {
throw new Error('ext.certificate.start > now');
}
if (cert.expiry < now - 5 * 60 * 1000) {
throw new Error('ext.certificate.expiry < now');
}
// Check max time between start and expiry
if (cert.expiry - cert.start > 31 * 24 * 60 * 60 * 1000) {
throw new Error('ext.certificate cannot last longer than 31 days!');
}
// Check clientId validity
if (issuingClientId !== credentialName) {
let createScope = 'auth:create-client:' + credentialName;
if (!utils.satisfiesExpression(issuingScopes, createScope)) {
throw new Error('ext.certificate issuer `' + issuingClientId +
'` doesn\'t have `' + createScope + '` for supplied clientId.');
}
} else if ('clientId' in cert) {
throw new Error('ext.certificate.clientId must only be used with ext.certificate.issuer');
}
// Validate certificate scopes are subset of client
if (!utils.satisfiesExpression(scopes, {AllOf: cert.scopes})) {
throw new Error('ext.certificate issuer `' + issuingClientId +
'` doesn\'t satisfy all certificate scopes ' +
cert.scopes.join(', ') + '. The temporary ' +
'credentials were not generated correctly.');
}
// Generate certificate signature// Case where action.kind === 'hook'
const hookPayload = jsone(action.hookPayload, context);
const { hookId, hookGroupId } = action;
// verify that the decision task has
// the appropriate in-tree:action-hook:.. scope
const {
data: { expandScopes },
} = await apolloClient.query({
query: expandScopesQuery,
variables: {
scopes: taskGroup.scopes || [],
},
});
const expression = `in-tree:hook-action:${hookGroupId}/${hookId}`;
if (!satisfiesExpression(expandScopes, expression)) {
throw new Error(
`Action is misconfigured: decision task's scopes do not satisfy ${expression}`
);
}
const result = await apolloClient.mutate({
mutation: triggerHookQuery,
variables: {
hookGroupId,
hookId,
payload: hookPayload,
},
});
return result.data.triggerHook.taskId;
};disabled: false,
};
const isCliLogin = Boolean(query.callback_url);
const isClientDisabled =
clientData && clientData.client && clientData.client.disabled;
// CLI login
if (
isCliLogin &&
user &&
currentScopesData &&
currentScopesData.currentScopes
) {
Object.assign(initialClient, {
clientId: `${user.credentials.clientId}/${query.name}`,
scopes: scopeIntersection(
initialClient.scopes,
currentScopesData.currentScopes
),
});
}
if (location.state && location.state.accessToken) {
const state = { ...location.state };
delete state.accessToken;
this.props.history.replace({ state });
}
return (const currentUser = await strategies[user.identityProviderId].userFromIdentity(user.identity);
const userScopes = (await auth.expandScopes({scopes: currentUser.scopes()})).scopes;
await AccessToken.create({
// OAuth2 client
clientId: registeredClient.clientId,
redirectUri: areq.redirectURI,
identity: user.identity,
identityProviderId: user.identityProviderId,
accessToken: accessToken,
expires: taskcluster.fromNow('10 minutes'),
clientDetails: {
clientId: ares.clientId,
description: ares.description || `Client generated by ${user.identity} for OAuth2 Client ${registeredClient.clientId}`,
scopes: scopeIntersection(ares.scope, userScopes),
expires: ares.expires ?
ares.expires > taskcluster.fromNow(registeredClient.maxExpires) ?
taskcluster.fromNow(registeredClient.maxExpires).toISOString() :
ares.expires.toISOString()
: taskcluster.fromNow(registeredClient.maxExpires).toISOString(),
deleteOnExpiration: true,
},
}, true);
return accessToken;
})));let now = new Date().getTime();
if (cert.start > now + 5 * 60 * 1000) {
throw new Error('ext.certificate.start > now');
}
if (cert.expiry < now - 5 * 60 * 1000) {
throw new Error('ext.certificate.expiry < now');
}
// Check max time between start and expiry
if (cert.expiry - cert.start > 31 * 24 * 60 * 60 * 1000) {
throw new Error('ext.certificate cannot last longer than 31 days!');
}
// Check clientId validity
if (issuingClientId !== credentialName) {
let createScope = 'auth:create-client:' + credentialName;
if (!utils.scopeMatch(issuingScopes, [[createScope]])) {
throw new Error('ext.certificate issuer `' + issuingClientId +
'` doesn\'t have `' + createScope + '` for supplied clientId.');
}
} else if ('clientId' in cert) {
throw new Error('ext.certificate.clientId must only be used with ext.certificate.issuer');
}
// Validate certificate scopes are subset of client
if (!utils.scopeMatch(scopes, [cert.scopes])) {
throw new Error('ext.certificate issuer `' + issuingClientId +
'` doesn\'t satisfy all certificate scopes ' +
cert.scopes.join(', ') + '. The temporary ' +
'credentials were not generated correctly.');
}
// Generate certificate signatureres.scopes = scopes = expandScopes(cert.scopes);
}
// Handle scope restriction with authorizedScopes
if (ext.authorizedScopes) {
// Validate input format
if (!(ext.authorizedScopes instanceof Array)) {
throw new Error('ext.authorizedScopes must be an array');
}
if (!ext.authorizedScopes.every(utils.validScope)) {
throw new Error('ext.authorizedScopes must be an array of valid scopes');
}
// Validate authorizedScopes scopes are satisfied by client (or temp) scopes
if (!utils.scopeMatch(res.scopes, [ext.authorizedScopes])) {
throw new Error('Supplied credentials do not satisfy authorizedScopes; '
+ `credentials have scopes [${res.scopes}]; `
+ `authorizedScopes are [${[ext.authorizedScopes]}]`);
}
// Further limit scopes
res.scopes = scopes = expandScopes(ext.authorizedScopes);
}
return res;
};if (!user || user.identity !== handler.identityFromClientId(client.clientId)) {
user = await handler.userFromClientId(client.clientId);
if (!user) {
continue;
}
userScopes = (await auth.expandScopes({scopes: user.scopes()})).scopes;
debug('..against user', user.identity);
}
// if this client's expandedScopes are not satisfied by the user's expanded
// scopes, disable the client.
if (!scopeUtils.scopeMatch(userScopes, [client.expandedScopes])) {
await auth.disableClient(client.clientId);
}
}
};SERVICES.forEach(name => {
// auth defines scopes, so it doesn't need any of its own.
if (name === 'auth') {
return;
}
const tables = (requirements[`azure-${name}`] || {}).tables || [];
const scopes = [
...(requirements[`scopes-${name}`] || []),
...tables.map(t => 'auth:azure-table:read-write:${azureAccountId}/' + t),
];
scopes.sort(scopeCompare);
staticClients.push({
clientId: `static/taskcluster/${name}`,
scopes: normalizeScopeSet(scopes),
});
});taskcluster-lib-scopes
Scope checking utilities for Taskcluster
Package Health Score
54 / 100Popular taskcluster-lib-scopes functions
- taskcluster-lib-scopes.mergeScopeSets
- taskcluster-lib-scopes.normalizeScopeSet
- taskcluster-lib-scopes.removeGivenScopes
- taskcluster-lib-scopes.satisfiesExpression
- taskcluster-lib-scopes.scopeCompare
- taskcluster-lib-scopes.scopeIntersection
- taskcluster-lib-scopes.scopeMatch
- taskcluster-lib-scopes.scopesSatisfying
- taskcluster-lib-scopes.scopeUnion
- taskcluster-lib-scopes.validScope