more parliament permissions (arkime#2224)

* more parliament permissions

hide login button if not a parliament user
hide edit parliament button if not a parliament admin
show cluster/group errors fixed on the bottom for visibility

fixes arkime#2118

* check for commonAuth obj

* better checks for commonAuth endpoint

* remove commented out code

* add tests for parliament common auth

* add Arkime User Auth info in readme

* add rate limiting to all parliament endpoints

* remove rate limiting

make tests more verbose
deleteAllUsers at end of tests
add /regressionTests to makeToken endpoint

* check for success text and objs too

* cleanup

* update maketoken endpoint

add more readme

* more readme

.gitignore

@@ -48,6 +48,7 @@ parliament/parliament.dev.json
 parliament/parliament.issues.json
 parliament/parliament.dev.issues.json
 parliament/vueapp/dist
+tests/parliament.dev.issues.json
 
 # wiseservice
 wiseService/vueapp/dist

common/arkimeUtil.js

@@ -96,6 +96,14 @@ class ArkimeUtil {
     return true;
   }
 
+  // ----------------------------------------------------------------------------
+  /**
+   * Is obj an object
+   */
+  static isObject (obj) {
+    return typeof obj === 'object' && obj !== null;
+  }
+
   // ----------------------------------------------------------------------------
   /**
    * Create a redis client from the provided url

parliament/README.md

@@ -9,8 +9,8 @@ This project was generated with [Vue CLI][vuecli].
 The Parliament dashboard contains a grouped list of your Arkime clusters with links, ES health, and issues for each. You can search for Arkimes in your Parliament, change the data refresh time (15 seconds is the default), and hover over issues and ES health statuses for more information.
 
 The app can be run in three ways:
-1. with a password
-2. read only mode (without a password, but it can be configured later)
+1. with a password (**deprecated!**)
+2. read only mode (without a password, but Arkime User Authentication can be configured later)
 3. dashboard only mode (no password or ability to configure one)
 
 _**If your Parliament has a password (via option 1 or 2), you can interact with it in the ways enumerated below.**_
@@ -35,7 +35,9 @@ The settings page has 3 sections as described below:
 4. The `remove all issues after` setting controls when an issue is removed if it has not occurred again. The issue is removed from the cluster after this time expires as long as the issue has not occurred again. _The default for this setting is 60 minutes._
 5. The `remove acknowledged issues after` setting controls when an acknowledged issue is removed. The issue is removed from the cluster after this time expires (so you don't have to remove issues manually with the trashcan button). _The default for this setting is 15 minutes._
 
-**Password:** this section allows a user to update the Parliament password or create a new password if the Parliament was started without one.
+**Password:** **Deprecated!** Use the Auth section to configure Arkime user's authentication. This section allows a user to update the Parliament password or create a new password if the Parliament was started without one.
+
+**Auth:** Here you can configure Parliament access using the Arkime User's database. See the [Arkime User Authetication](#arkime-user-authetication) section for more information.
 
 **Notifiers:** this section provides the ability to configure alerts for your Parliament. Users can be alerted via:
 1. Slack
@@ -96,7 +98,7 @@ You can also run the app by building then starting the app. Like so:
 
 | Parameter       | Default | Description |
 | --------------- | ------- | ----------- |
-| --pass          | EMPTY   | Password will be used to login to update the parliament. If it is not set, the app runs in read only mode. **IMPORTANT:** passing in a password will overwrite any password already configured in your parliament. You can always configure a password later in the UI. |
+| --pass          | EMPTY   | **Deprecated!** Please see the [Arkime User Authetication](#arkime-user-authetication) section below. Password will be used to login to update the parliament. If it is not set, the app runs in read only mode. **IMPORTANT:** passing in a password will overwrite any password already configured in your parliament. You can always configure a password later in the UI. |
 | --port          | 8008    | Port for the web app to listen on. |
 | -c, --config    | ./parliament.json | Absolute path to the JSON file to store your parliament information. |
 | --key           | EMPTY   | Private certificate to use for https, if not set then http will be used. **certfile** must also be set. |
@@ -107,7 +109,14 @@ _Note: if you do not pass in the port or file arguments, the defaults are used._
 
 Now browse to the app at `http://localhost:8765`, or whichever port you passed into the `npm start` command.
 
-To login, use the password that you passed into the `npm start` command. If you did not supply a password, you can view the parliament in read only mode or configure one by navigating to the settings page.
+To login, use the password (**deprecated**) that you passed into the `npm start` command. If you did not supply a password, you can view the parliament in read only mode and configure Arkime User Authentication in the Auth section on the Settings page (see section below).
+
+##### Arkime User Authetication
+Parliament passwords are being deprecated. You can configure Parliament access using the Auth section on the Settings page. Auth uses the Arkime User's database for Parliament access.
+
+- **All** Arkime users can view the Parliament (dashboard only mode).
+- Users with the "parliamentUser" role can ack, ignore, and delete issues within the Parliament.
+- Users with the "parliamentAdmin" role can do everything a "parliamentUser" can, plus they can configure the Parliament by adding/removing/updating groups/clusters and manage the Parliament settings.
 
 #### Development
 

parliament/parliament.js

@@ -440,28 +440,32 @@ function checkAuthUpdate (req, res, next) {
 
 function isUser (req, res, next) {
   if (!parliament.authMode) { return verifyToken(req, res, next); }
+
   Auth.doAuth(req, res, () => {
     if (req.user.hasRole('parliamentUser')) {
       return next();
     }
+
     res.status(403).json({
       tokenError: true,
       success: false,
-      text: 'Permission Denied: Not a user'
+      text: 'Permission Denied: Not a Parliament user'
     });
   });
 }
 
 function isAdmin (req, res, next) {
   if (!parliament.authMode) { return verifyToken(req, res, next); }
+
   Auth.doAuth(req, res, () => {
     if (req.user.hasRole('parliamentAdmin')) {
       return next();
     }
+
     res.status(403).json({
       tokenError: true,
       success: false,
-      text: 'Permission Denied: Not an admin'
+      text: 'Permission Denied: Not a Parliament admin'
     });
   });
 }
@@ -547,7 +551,7 @@ function buildAlert (cluster, issue) {
     const setNotifier = parliament.settings.notifiers[n];
 
     // keep looking for notifiers if the notifier is off
-    if (!setNotifier.on) { continue; }
+    if (!setNotifier || !setNotifier.on) { continue; }
 
     // quit before sending the alert if the alert is off
     if (!setNotifier.alerts[issue.type]) { continue; }
@@ -836,7 +840,7 @@ function buildNotifierTypes () {
     notifier.fields = fieldsMap;
   }
 
-  if (app.get('debug')) {
+  if (app.get('debug') > 1) {
     console.log('Built notifier alerts:', JSON.stringify(internals.notifierTypes, null, 2));
   }
 }
@@ -1166,6 +1170,16 @@ function writeIssues (req, res, next, successObj, errorText, sendIssues) {
 }
 
 /* APIs -------------------------------------------------------------------- */
+if (app.get('regressionTests')) {
+  router.get('/regressionTests/makeToken', (req, res, next) => {
+    req.user = {
+      userId: req.query.molochRegressionUser ?? 'anonymous'
+    };
+    setCookie(req, res, next);
+    return res.end();
+  });
+}
+
 // Authenticate user
 router.post('/auth', (req, res, next) => {
   if (app.get('dashboardOnly')) {
@@ -1232,7 +1246,7 @@ router.put('/auth/commonauth', [checkAuthUpdate], (req, res, next) => {
     return next(newError(403, 'Your Parliament is in dasboard only mode. You cannot setup auth.'));
   }
 
-  if (!ArkimeUtil.isString(req.body.commonAuth)) {
+  if (!ArkimeUtil.isObject(req.body.commonAuth)) {
     return next(newError(422, 'Missing auth settings'));
   }
 
@@ -1244,13 +1258,16 @@ router.put('/auth/commonauth', [checkAuthUpdate], (req, res, next) => {
   }
 
   for (const s in req.body.commonAuth) {
-    let setting = req.body.commonAuth[s];
-    if (setting === '') {
-      setting = undefined;
+    const setting = req.body.commonAuth[s];
+
+    if (!ArkimeUtil.isString(setting)) {
+      continue;
     }
+
     if (!parliament.settings.commonAuth) {
       parliament.settings.commonAuth = {};
     }
+
     parliament.settings.commonAuth[s] = setting;
   }
 
@@ -1357,10 +1374,6 @@ router.put('/settings', [isAdmin, checkCookieToken], (req, res, next) => {
 });
 
 function verifyNotifierReqBody (req) {
-  if (!ArkimeUtil.isString(req.body.key)) {
-    return 'Missing notifier key';
-  }
-
   if (typeof req.body.notifier !== 'object') {
     return 'Missing notifier';
   }
@@ -1394,6 +1407,10 @@ router.put('/notifiers/:name', [isAdmin, checkCookieToken], (req, res, next) =>
     return next(newError(404, `${req.params.name} not found.`));
   }
 
+  if (!ArkimeUtil.isString(req.body.key)) {
+    return next(newError(422, 'Missing notifier key'));
+  }
+
   const verifyMsg = verifyNotifierReqBody(req);
   if (verifyMsg) { return next(newError(422, verifyMsg)); }
 

parliament/vueapp/src/components/Help.vue

@@ -72,8 +72,8 @@
             The Parliament dashboard includes links, ES health, and issues for each Arkime cluster.
           </p>
           <p>
-            The dashboard page allows users to view and interact with the Molochs in your Parliament.
-            You can search for Molochs in your Parliament, change the data refresh time
+            The dashboard page allows users to view and interact with the Arkimes in your Parliament.
+            You can search for Arkimes in your Parliament, change the data refresh time
             (15 seconds is the default),
             and hover over issues and ES health statuses for more information.
           </p>

parliament/vueapp/src/components/Navbar.vue

@@ -98,7 +98,7 @@
           </div>
         </span> <!-- /refresh interval select -->
         <!-- password input -->
-        <template v-if="!commonAuth">
+        <template v-if="!commonAuth && isUser">
           <form>
             <input type="text"
               name="username"
@@ -167,6 +167,9 @@ export default {
   },
   computed: {
     // auth vars
+    isUser: function () {
+      return this.$store.state.isUser;
+    },
     isAdmin: function () {
       return this.$store.state.isAdmin;
     },