@eang/core
Version:
eang - model driven enterprise event processing
121 lines (120 loc) • 4.34 kB
TypeScript
import { MultiDirectedGraph } from 'graphology';
import type { Attributes } from 'graphology-types';
import { Cnx, Obj, EangEventTypes } from './entity.js';
import { PersonObj, PolicyRuleObj, ServiceAccountObj } from './objects.js';
import { Prettify } from './types.js';
export type AuthzActionType = Prettify<EangEventTypes | 'read'>;
export interface AuthzRequest {
subject: PersonObj | ServiceAccountObj;
action: AuthzActionType;
entity: Obj | Cnx;
environment?: Environment;
}
export type RuleEffect = (typeof RuleEffect)[keyof typeof RuleEffect] | undefined;
export declare const RuleEffect: {
readonly allow: "allow";
readonly deny: "deny";
};
export interface AuthzResult {
effect: RuleEffect;
matchedRule?: PolicyRuleObj;
entity: Obj | Cnx;
}
type Op = 'equals' | 'in' | 'hasConnectionTo';
type ValueRef = {
ref: EntityPath;
};
type Value = string | number | boolean | string[] | ValueRef;
type EntityPath = string;
type Condition = {
[K in EntityPath]?: {
op: Op;
value?: Value;
ref?: EntityPath;
typeOf?: string[];
negate?: boolean;
};
};
export type Rule = {
description?: string;
conditions: Condition[];
};
export declare class Authorizer {
graph: MultiDirectedGraph<Attributes, Attributes, Attributes>;
constructor(graph?: MultiDirectedGraph<Attributes, Attributes, Attributes>);
getPolicyRuleChain(entity: Obj | Cnx): PolicyRuleObj[];
authorize(authzRequest: AuthzRequest): AuthzResult;
hasConnectionTo(fromId: string, toId: string, connectionType: string): boolean;
/**
* Resolves a property path from the authorization request context
* @param path - Property path like "entity.id", "subject.id", "entity.fromObjId", "action"
* @param authzRequest - The authorization request context
* @returns The resolved value or undefined if not found
*/
private resolvePropertyPath;
/**
* Evaluates a single condition against the authorization request
* @param condition - The condition to evaluate
* @param authzRequest - The authorization request context
* @returns true if the condition matches, false otherwise
*/
private evaluateCondition;
/**
* Evaluates an array of rules against the authorization request
* All conditions within a rule must match (AND logic)
* Any rule matching returns true (OR logic between rules)
* @param rules - Array of rules to evaluate
* @param authzRequest - The authorization request context
* @returns true if any rule matches, false otherwise
*/
evaluateRules(rules: Rule[], authzRequest: AuthzRequest): boolean;
private applyChain;
}
export declare class Environment {
name: string;
description?: string | undefined;
timeOfDay?: string;
timeRange?: {
start: string;
end: string;
};
dayOfWeek?: string;
date?: Date;
isHoliday?: boolean;
ipAddress?: string;
geographicLocation?: {
country?: string;
region?: string;
city?: string;
};
networkZone?: 'internal' | 'DMZ' | 'external';
connectionType?: 'VPN' | 'direct' | 'wireless' | string;
deviceType?: 'company-managed' | 'BYOD' | 'mobile' | 'desktop' | string;
securityPosture?: {
patchLevel?: string;
antivirusStatus?: 'active' | 'inactive' | string;
encryptionStatus?: 'enabled' | 'disabled' | string;
};
operatingSystem?: string;
osVersion?: string;
browserType?: string;
browserVersion?: string;
certificateStatus?: 'valid' | 'expired' | 'missing' | string;
threatLevel?: 'low' | 'medium' | 'high' | 'critical' | string;
anomalyScore?: number;
previousAuthFailures?: number;
sessionCharacteristics?: {
duration?: number;
idleTime?: number;
};
businessProcess?: string;
emergencyStatus?: boolean;
systemLoad?: number;
systemHealth?: 'normal' | 'degraded' | 'critical' | string;
maintenanceWindow?: boolean;
dataClassificationLevel?: 'public' | 'internal' | 'confidential' | 'restricted' | string;
regulatoryJurisdiction?: string[];
underAudit?: boolean;
constructor(name: string, description?: string | undefined, attributes?: Partial<Omit<Environment, 'name' | 'description'>>);
}
export {};