UNPKG

@microtica/auth

Version:

Authentication and Authorization library

333 lines 14.5 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
"use strict"; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; var __importStar = (this && this.__importStar) || function (mod) { if (mod && mod.__esModule) return mod; var result = {}; if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k]; result["default"] = mod; return result; }; Object.defineProperty(exports, "__esModule", { value: true }); const utils_1 = require("@microtica/utils"); const http_status_codes_1 = __importDefault(require("http-status-codes")); const _ = __importStar(require("lodash")); const entity_permission_1 = require("./entity-permission"); const UNAUTHORIZED_ERROR = "User is not authorized to perform this action"; var AccessPermission; (function (AccessPermission) { AccessPermission["GrantAccess"] = "GRANT_ACCESS"; AccessPermission["RevokeAccess"] = "REVOKE_ACCESS"; })(AccessPermission = exports.AccessPermission || (exports.AccessPermission = {})); class AuthManager { constructor(auth) { this.auth = auth; } static serializePermissions(permissions) { return permissions.join(","); } static deserializePermissions(permissions) { return permissions.split(","); } /** * Returns all the needed Authorization Headers * * @param headers The Header object of the request * @returns Returns an object with all the AuthHeaders extracted from the Request.Headers */ static getAuthHeaders(headers) { const authHeaders = { groupIds: headers.groupids, userId: headers.userid, permissions: headers.permissions, projectId: headers.projectid }; return authHeaders; } /** * Grants certain permissions to the given user or group on the entity provided. * * @param assigneeId The assigneeId you want to grant access to * @param assigneeType The assigneeType of the assignee * @param entityId The Entity you want to grant the access on * @param permissions The permissions you want to be granted * @returns Returns an object with a done boolean parameter */ async grantAccess(assigneeId, assigneeType, entityId, permissions) { const existingPermissions = await entity_permission_1.EntityPermission.where({ assigneeId, entityId }).get(); if (existingPermissions) { permissions = _.uniq(_.concat(existingPermissions.permissions, permissions)); return entity_permission_1.EntityPermission .update({ permissions: AuthManager.serializePermissions(permissions) }) .where({ assigneeId, entityId }) .exec() .thenReturn({ done: true }); } return entity_permission_1.EntityPermission.insert({ assigneeId, assigneeType, entityId, permissions: AuthManager.serializePermissions(permissions) }).exec().thenReturn({ done: true }); } /** * Removes all access from the given assignee, on the given entity * * @param assigneeId The Assignee you want to revoke all access from * @param entityId The entity you want that access revoked * @returns Returns an object with a done boolean parameter */ async revokeAccess(assigneeId, entityId) { return entity_permission_1.EntityPermission .delete() .where(entity_permission_1.EntityPermission.assigneeId.equals(assigneeId) .and(entity_permission_1.EntityPermission.entityId.equals(entityId))) .exec() .thenReturn({ done: true }); } /** * Sets an Access List to the given entityId * * @param entityId The entity you want to set the access list to * @param accessList The access list you want to set * @returns Returns an object with a done boolean parameter */ async forceInheritAccess(entityId, accessList) { const entityPermissions = _.map(accessList, al => ({ assigneeId: al.assigneeId, assigneeType: al.assigneeType, entityId, permissions: AuthManager.serializePermissions(al.permissions) })); return entity_permission_1.EntityPermission.insert(entityPermissions) .exec() .thenReturn({ done: true }); } /** * Returns the Access List for the given Entity * * @param entityId The entity, which you want the access list for * @returns Returns an array with data of the EntityPermission Table */ async getAccessList(entityId) { const entityPermissions = await entity_permission_1.EntityPermission.where({ entityId }).all(); return _.map(entityPermissions, item => _.extend(item, { permissions: AuthManager.deserializePermissions(item.permissions) })); } /** * Returns the Access List for multiple entities * * @param entityIds The entities, which you want the access list for * @returns Returns a dictionary of arrays with data of the EntityPermission Table */ async getAccessListForMultipleEntities(entityIds) { const entityPermissions = await entity_permission_1.EntityPermission.where(entity_permission_1.EntityPermission.entityId.in(entityIds)).all(); return entityPermissions.reduce((entities, entity) => { if (!entities[entity.entityId]) { entities[entity.entityId] = []; } entities[entity.entityId].push(_.extend(entity, { permissions: AuthManager.deserializePermissions(entity.permissions) })); return entities; }, {}); } /** * Returns an Access List for the given Assignee Type and Entity * * @param entityId The entity, which you want the access list for * @param filterAssigneeType The assignee type you want from the access list * @returns Returns an array of the Access Lists on the entityId */ async getAccessListByType(entityId, filterAssigneeType) { const accessList = await this.getAccessList(entityId); const filteredList = filterAssigneeType ? _.filter(accessList, { assigneeType: filterAssigneeType }) : accessList; return _.map(filteredList, item => _.pick(item, ["assigneeId", "assigneeType", "permissions"])); } /** * Returns a query of the entity table with the entities/data with sufficient access * if given a parentId, returns a query of the entities/data the parent has access to * if not, returns a query of the entities/data the User has access to * * @param entity The EntityTable * @param parentId The Parent ID to check access against * @returns A query with the EntityTable joined with EntityPermission Table */ listEntities(entity, parentId) { const id = this.auth ? this.auth.id : undefined; const groups = this.auth ? this.auth.groups : undefined; let conditionNode; if (parentId) { conditionNode = entity_permission_1.EntityPermission.assigneeId.equals(parentId); } else { conditionNode = !groups ? entity_permission_1.EntityPermission.assigneeId.equals(id) : entity_permission_1.EntityPermission.assigneeId.equals(id).or(entity_permission_1.EntityPermission.assigneeId.in(groups)); } return entity .select(entity.star()) .from(entity_permission_1.EntityPermission.join(entity).on(entity.id.equals(entity_permission_1.EntityPermission.entityId))) .where(conditionNode).group(entity.id); } } exports.AuthManager = AuthManager; /** * Returns the Authorization Function * * @param requiredPermissions The Required Permissions for the User to pass * @returns Returns the authorize function */ function authorize(...requiredPermissions) { /** * Main Function which handles the Authorization part * It dictates wether the User has sufficient permissions to pass * * @param req The Request object * @param res The Response object * @param next The NextFunction * @returns Calls the NextFunction or returns a 401, Not authorized response */ return (req, res, next) => { const userId = req.get("userId"); const authHeader = req.get("Authorization"); const permissionsHeader = req.get("permissions"); const groupIdsHeader = req.get("groupIds"); if (!authHeader || !userId) { return res.status(401).send(utils_1.codedError(http_status_codes_1.default.UNAUTHORIZED, UNAUTHORIZED_ERROR)); } const groupIds = groupIdsHeader ? groupIdsHeader.split(",") : []; req.auth = { id: userId, type: "token", plain: authHeader, roles: [], groups: groupIds }; if (requiredPermissions.length > 0) { const globalPermissions = permissionsHeader ? permissionsHeader.split(",") : []; return shouldPass(requiredPermissions, globalPermissions) ? next() : res.status(401).send(utils_1.codedError(http_status_codes_1.default.UNAUTHORIZED, UNAUTHORIZED_ERROR)); } else { return next(); } }; } exports.authorize = authorize; /** * Returns the Authorization Function * * @param entityParam The Entity to authorize against * @param requiredPermissions The Required Permissions for the User to pass * @returns Returns the authorize function */ function authorizeStrict(entityParam, requiredPermissions) { /** * Main Function which handles the Authorization part * It dictates wether the User has sufficient permissions to pass * * @param req The Request object * @param res The Response object * @param next The NextFunction * @returns Calls the NextFunction or returns a 401, Not authorized response */ return (req, res, next) => { const userId = req.get("userId"); const authHeader = req.get("Authorization"); const permissionsHeader = req.get("permissions"); const groupIdsHeader = req.get("groupIds"); const projectIdHeader = req.get("projectId"); if (!authHeader || !userId || !projectIdHeader) { return res.status(401).send(utils_1.codedError(http_status_codes_1.default.UNAUTHORIZED, UNAUTHORIZED_ERROR)); } const groupIds = groupIdsHeader ? groupIdsHeader.split(",") : []; req.auth = { id: userId, type: "token", plain: authHeader, roles: [], groups: groupIds }; if (requiredPermissions.length > 0) { const globalPermissions = permissionsHeader ? permissionsHeader.split(",") : []; const entityId = req.params[entityParam]; const projectId = projectIdHeader; getUserAndGroupPermissions(entityId, userId, groupIds).then(userData => { getParentPermissions(entityId, projectId).then(parentData => { const parentPermissions = _.flatten(_.map(parentData, data => data.permissions.split(","))); const userPermissions = _.uniq(_.flatten(_.map(userData, data => data.permissions.split(",")))); return checkAccess(requiredPermissions, userPermissions, parentPermissions, globalPermissions) ? next() : res.status(401).send(utils_1.codedError(http_status_codes_1.default.UNAUTHORIZED, UNAUTHORIZED_ERROR)); }); }); } else { return next(); } }; } exports.authorizeStrict = authorizeStrict; /** * Returns the parent permissions on the given entity * * @param entityId The entity you want permissions for * @param parentId The parent you want permissions for * @returns Returns an array of the EntityPermission Table */ async function getParentPermissions(entityId, parentId) { return entity_permission_1.EntityPermission.where(entity_permission_1.EntityPermission.entityId.equals(entityId) .and(entity_permission_1.EntityPermission.assigneeId.equals(parentId))).all(); } /** * Returns all the permissions for the given user and his groups on the given entity * * @param entityId The Entity you want permissions for * @param userId The User ID to get permissions for * @param groupIds The Group to get permissions for * @returns Returns an array of the EntityPermission Table */ async function getUserAndGroupPermissions(entityId, userId, groupIds) { return entity_permission_1.EntityPermission.where(entity_permission_1.EntityPermission.entityId.equals(entityId) .and(entity_permission_1.EntityPermission.assigneeId.equals(userId) .or(entity_permission_1.EntityPermission.assigneeId.in(groupIds)))).all(); } /** * Checks if the permissions are sufficent * * @param requiredPermissions The Required Permissions needed to pass * @param permissions The Permissions the assignee has * @returns Returns a boolean */ function shouldPass(requiredPermissions, permissions) { const overLappedPermissions = _.intersection(requiredPermissions, permissions); return overLappedPermissions.length === requiredPermissions.length || _.includes(permissions, "OWNER"); } /** * Logic for authorization managment * Checks if the user has specific permissions on the given entity, * then checks if they are sufficient * if there are no specific permissions, * it checks the parent permissions and the global permissions if they are sufficient * * @param requiredPermissions The Required Permissions needed to pass * @param userPermissions The Permissions the User has * @param parentPermissions The Permissions the Parent has * @param globalPermissions The Global Permissions the User has on the Parent * @returns Returns a boolean */ function checkAccess(requiredPermissions, userPermissions, parentPermissions, globalPermissions) { if (userPermissions.length !== 0) { return shouldPass(requiredPermissions, userPermissions); } else { return shouldPass(requiredPermissions, parentPermissions) && shouldPass(requiredPermissions, globalPermissions); } } //# sourceMappingURL=auth.js.map