UNPKG

@fajarnugraha37/nope-iam

Version:

A highly extensible, type-safe IAM-like access control library for Node.js, inspired by AWS IAM. Deny by default, allow by vibes and less patience for your bad access patterns. Supports policies, roles, decorators, adapters, and rich evaluation context be

github.com/fajarnugraha37/nope-IAM

fajarnugraha37/nope-IAM

39 lines 2 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
export function defaultPolicyEvaluator(_logger) { const logger = _logger; return async (user, action, resource, context, policies, roles, operators) => { logger.debug('defaultPolicyEvaluator: evaluating', { user, action, resource, context }); const allPolicies = [ ...policies, ...roles.flatMap(r => r.policyIds.map(pid => policies.find(p => p.id === pid)).filter(Boolean)), ]; const trace = { checkedPolicies: [], reason: '' }; for (const policy of allPolicies) { trace.checkedPolicies.push(policy.id); for (const stmt of policy.statements) { if (stmt.actions.includes(action) && stmt.resources.includes(resource) && (!stmt.conditions || stmt.conditions.every(cond => { const op = operators[cond.operator]; const result = op ? op(cond.key, cond.value, context) : false; logger.debug('Condition check', { cond, result }); return result; }))) { if (stmt.effect === 'Allow') { trace.reason = 'Allowed by policy ' + policy.id; logger.info('Access allowed', { policyId: policy.id, statement: stmt }); return { decision: true, trace, context }; } if (stmt.effect === 'Deny') { trace.reason = 'Denied by policy ' + policy.id; logger.warn('Access denied', { policyId: policy.id, statement: stmt }); return { decision: false, trace, context }; } } } } trace.reason = 'No matching policy'; logger.warn('No matching policy found', { user, action, resource }); return { decision: false, trace, context }; }; } //# sourceMappingURL=defaultEvaluator.js.map