@neo4j/graphql/dist/translate/queryAST/factory/AuthorizationFactory.js

A GraphQL to Cypher query execution layer for Neo4j and JavaScript GraphQL implementations

"use strict";
/*
 * Copyright (c) "Neo4j"
 * Neo4j Sweden AB [http://neo4j.com]
 *
 * This file is part of Neo4j.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
Object.defineProperty(exports, "__esModule", { value: true });
exports.AuthorizationFactory = void 0;
const utils_1 = require("../../../utils/utils");
const populate_where_params_1 = require("../../authorization/utils/populate-where-params");
const AuthorizationFilters_1 = require("../ast/filters/authorization-filters/AuthorizationFilters");
const AuthorizationRuleFilter_1 = require("../ast/filters/authorization-filters/AuthorizationRuleFilter");
const is_concrete_entity_1 = require("../utils/is-concrete-entity");
class AuthorizationFactory {
    constructor(filterFactory) {
        this.filterFactory = filterFactory;
    }
    // TODO: rename this to getProjectionAuthFilters
    /** @param afterValidation Use it to add "AFTER" validate filters */
    getAuthFilters({ attributes, afterValidation = false, ...params }) {
        const authorizationFilters = this.createAuthFilterRule({
            ...params,
            authAnnotation: params.entity.annotations.authorization,
        });
        const authorizationValidate = this.createAuthValidateRule({
            ...params,
            authAnnotation: params.entity.annotations.authorization,
            when: "BEFORE",
        });
        let authorizationValidateAfter;
        if (afterValidation) {
            authorizationValidateAfter = this.createAuthValidateRule({
                ...params,
                authAnnotation: params.entity.annotations.authorization,
                when: "AFTER",
            });
        }
        const attributeAuthFilters = [];
        const attributeAuthValidate = [];
        if (attributes?.length && (0, is_concrete_entity_1.isConcreteEntity)(params.entity)) {
            for (const attribute of attributes) {
                attributeAuthFilters.push(this.createAuthFilterRule({
                    ...params,
                    authAnnotation: attribute.annotations.authorization,
                }));
                attributeAuthValidate.push(this.createAuthValidateRule({
                    ...params,
                    when: "BEFORE",
                    authAnnotation: attribute.annotations.authorization,
                }));
                if (afterValidation) {
                    attributeAuthValidate.push(this.createAuthValidateRule({
                        ...params,
                        when: "AFTER",
                        authAnnotation: attribute.annotations.authorization,
                    }));
                }
            }
        }
        return (0, utils_1.filterTruthy)([
            authorizationFilters,
            ...attributeAuthFilters,
            authorizationValidate,
            authorizationValidateAfter,
            ...attributeAuthValidate,
        ]);
    }
    createAuthFilterRule({ authAnnotation, ...params }) {
        const filters = this.createAuthRuleFilter(params, authAnnotation?.filter ?? [], "BEFORE"); // FILTERS ONLY APPLY BEFORE
        if (!filters.length) {
            return;
        }
        return new AuthorizationFilters_1.AuthorizationFilters({ validations: [], filters });
    }
    createAuthValidateRule({ authAnnotation, when, conditionForEvaluation, ...params }) {
        const rules = authAnnotation?.validate?.filter((rule) => rule.when.includes(when));
        const validations = this.createAuthRuleFilter(params, rules ?? [], when);
        if (!validations.length) {
            return;
        }
        return new AuthorizationFilters_1.AuthorizationFilters({ validations, filters: [], conditionForEvaluation });
    }
    createAuthRuleFilter(params, rules, when) {
        return rules
            .filter((rule) => rule.operations.some((operation) => params.operations.includes(operation)))
            .map((rule) => {
            const populatedWhere = (0, populate_where_params_1.populateWhereParams)({ where: rule.where, context: params.context });
            const nestedFilters = this.filterFactory.createAuthFilters({ ...params, populatedWhere });
            return new AuthorizationRuleFilter_1.AuthorizationRuleFilter({
                requireAuthentication: rule.requireAuthentication,
                filters: nestedFilters,
                isAuthenticatedParam: params.context.authorization.isAuthenticatedParam,
                when,
            });
        });
    }
}
exports.AuthorizationFactory = AuthorizationFactory;
//# sourceMappingURL=AuthorizationFactory.js.map