UNPKG

@softvisio/core

Version:

Softisio core

softvisio-node.github.io/core/

softvisio-node/core

139 lines (114 loc) 4.68 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
import Component from "#lib/app/api/component"; import GlobPatterns from "#lib/glob/patterns"; import { isKebabCase, validatePath } from "#lib/naming-conventions"; import sql from "#lib/sql"; const STATIC_PERMISSIONS = new Set( [ "guests", "users", "root", "telegram-bot-users" ] ); export default class extends Component { #resolvers = {}; // static get staticPermissions () { return STATIC_PERMISSIONS; } // properties get resolvers () { return this.#resolvers; } // protected async _init () { const types = {}; for ( const [ type, typeSpec ] of Object.entries( this.app.acl.config.types ) ) { types[ type ] = { type, "roles": {}, "notifications": {}, }; for ( const [ role, roleSpec ] of Object.entries( typeSpec.roles ) ) { types[ type ].roles[ role ] = { role, ...roleSpec, }; } if ( typeSpec.notifications ) { for ( const [ notification, notificationSpec ] of Object.entries( typeSpec.notifications ) ) { types[ type ].notifications[ notification ] = { notification, ...notificationSpec, }; } } } const allPermissions = new Set(); // check api schema permissions, create permissions index { for ( const method of Object.values( this.api.schema.methods ) ) { if ( !method.permission ) continue; // static permission if ( STATIC_PERMISSIONS.has( method.permission ) ) continue; // validate permission name const [ namespace, name ] = method.permission.split( ":" ); if ( !validatePath( namespace, { "absolute": false, "folder": false, "format": "kebab-case", } ) || !isKebabCase( name ) ) { return result( [ 500, `Permission "${ method.permission }" is invalid` ] ); } allPermissions.add( method.permission ); } } // acl types { for ( const type of Object.values( types ) ) { // roles for ( const role of Object.values( type.roles ) ) { const resolvedPermissions = new Set(), globPatterns = new GlobPatterns().add( role.permissions ); // resolve role permissions for ( const schemaPermission of allPermissions ) { if ( globPatterns.test( schemaPermission ) ) { resolvedPermissions.add( schemaPermission ); } } role.permissions = [ ...resolvedPermissions ]; } // notifications if ( type.notifications ) { for ( const notification of Object.values( type.notifications ) ) { if ( !notification.roles ) continue; // check notification roles for ( const role of notification.roles ) { if ( !type.roles[ role ] ) { return result( [ 400, `ACL notification ${ notification.notification } role ${ role } is not defined` ] ); } } } } } } // acl resolvers { for ( const [ aclResolver, query ] of Object.entries( this.api.schema.aclResolvers ) ) { this.#resolvers[ aclResolver ] = query ? sql( query ).prepare() : null; } } // check api methods acl object types { for ( const method of Object.values( this.api.schema.methods ) ) { if ( !method.aclResolvers ) continue; for ( const aclResolver of method.aclResolvers ) { if ( !( aclResolver in this.#resolvers ) ) { return result( [ 500, `ACL object type "${ aclResolver }" is not registered` ] ); } } } } const res = await this.app.acl.updateTypes( types ); if ( !res.ok ) return res; return result( 200 ); } }