UNPKG

@topgroup/diginext

Version:

A BUILD SERVER & CLI to deploy apps to any Kubernetes clusters.

359 lines (358 loc) 16.9 kB
"use strict"; var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; var desc = Object.getOwnPropertyDescriptor(m, k); if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { desc = { enumerable: true, get: function() { return m[k]; } }; } Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; })); var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { Object.defineProperty(o, "default", { enumerable: true, value: v }); }) : function(o, v) { o["default"] = v; }); var __importStar = (this && this.__importStar) || function (mod) { if (mod && mod.__esModule) return mod; var result = {}; if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); __setModuleDefault(result, mod); return result; }; Object.defineProperty(exports, "__esModule", { value: true }); exports.checkPermissionsByFilter = exports.checkPermissions = exports.checkPermissionsById = exports.checkProjectAndAppPermissions = exports.checkAppPermissionsByFilter = exports.checkAppPermissions = exports.checkAppPermissionsById = exports.checkProjectPermissionsByFilter = exports.checkProjectPermissions = exports.checkProjectPermissionsById = exports.filterUsersByWorkspaceRole = exports.filterSensitiveInfo = exports.makeWorkspaceActive = exports.assignRoleByID = exports.assignRoleByUserID = exports.assignRoleByRoleID = exports.assignRole = exports.assignRoleWithoutCheckingPermissions = exports.getActiveWorkspace = exports.getActiveRoleByUserId = exports.getActiveRole = exports.addRoleToUser = exports.addUserToWorkspace = void 0; const lodash_1 = require("lodash"); const services_1 = require("../services"); const mongodb_1 = require("./mongodb"); const addUserToWorkspace = async (userId, workspace, roleType = "member") => { const { DB } = await Promise.resolve().then(() => __importStar(require("../modules/api/DB"))); let user = await DB.findOne("user", { id: userId }); if (!user) throw new Error(`User not found.`); // find role (default: "member") let role = await DB.findOne("role", { type: roleType, workspace: workspace._id }); if (!role) throw new Error(`Role "${roleType}" not found.`); // assign role const roles = user.roles || []; const hasRole = roles.includes(role._id); if (!hasRole) roles.push(role._id); // assign workspace const workspaces = user.workspaces || []; const isUserInThisWorkspace = workspaces.includes(workspace._id); if (!isUserInThisWorkspace) workspaces.push(workspace._id); // update user data user = await DB.updateOne("user", { _id: user._id }, { workspaces, roles, activeRole: role._id }); return user; }; exports.addUserToWorkspace = addUserToWorkspace; const addRoleToUser = async (roleType, userId, workspace) => { const { DB } = await Promise.resolve().then(() => __importStar(require("../modules/api/DB"))); // find user let user = await DB.findOne("user", { id: userId }, { populate: ["roles"] }); if (!user) throw new Error(`User not found.`); // find role const role = await DB.findOne("role", { type: roleType, workspace: workspace._id }); if (!role) throw new Error(`Role "${roleType}" not found.`); // remove old roles const roles = (user.roles || []) .filter((_role) => mongodb_1.MongoDB.toString(_role.workspace) !== mongodb_1.MongoDB.toString(workspace._id)) .map((_role) => _role._id); // push new role roles.push(role._id); // update database user = await DB.updateOne("user", { _id: user._id }, { roles }); return { user, role }; }; exports.addRoleToUser = addRoleToUser; const getActiveRole = async (user, workspace, options) => { const { DB } = await Promise.resolve().then(() => __importStar(require("../modules/api/DB"))); const userId = mongodb_1.MongoDB.toString(user._id); const wsId = mongodb_1.MongoDB.toString(workspace._id); let activeRole; if (!user.roles) user.roles = []; // check if "roles" has not been populated: let roles = []; user.roles.map((r) => { if (r._id) roles.push(r); }); // populate user's roles if needed if (roles.length === 0) { user = await DB.findOne("user", { _id: userId }, { populate: ["roles"] }); user.roles.map((r) => { if (r._id) roles.push(r); }); } // check again if this user have no roles -> assign member role if (roles.length === 0) { const addRoleRes = await (0, exports.addRoleToUser)("member", userId, workspace); roles.push(addRoleRes.role); } // get active role activeRole = roles.find((_role) => _role.workspace === wsId); // if this user doesn't have any role in this workspace if (!activeRole) { if (!(options === null || options === void 0 ? void 0 : options.assignMember)) throw new Error(`Permissions denied.`); // assign "member" role if needed: const memberRole = await DB.findOne("role", { type: "member", workspace: wsId }); roles.push(memberRole); activeRole = memberRole; user = await DB.updateOne("user", { _id: user._id }, { roles: roles.map((role) => role._id), activeRole: activeRole._id, }); } // update database if (!user.activeRole && (options === null || options === void 0 ? void 0 : options.makeActive)) user = await DB.updateOne("user", { _id: user._id }, { activeRole: activeRole._id }); return activeRole; }; exports.getActiveRole = getActiveRole; const getActiveRoleByUserId = async (userId, workspace) => { const { DB } = await Promise.resolve().then(() => __importStar(require("../modules/api/DB"))); // find user let user = await DB.findOne("user", { id: userId }, { populate: ["roles"] }); if (!user) throw new Error(`User not found.`); return (0, exports.getActiveRole)(user, workspace); }; exports.getActiveRoleByUserId = getActiveRoleByUserId; async function getActiveWorkspace(user) { const { DB } = await Promise.resolve().then(() => __importStar(require("../modules/api/DB"))); let workspace = user.activeWorkspace._id ? user.activeWorkspace : undefined; if (!workspace && mongodb_1.MongoDB.isValidObjectId(user.activeWorkspace)) { workspace = await DB.findOne("workspace", { _id: user.activeWorkspace }); } return workspace; } exports.getActiveWorkspace = getActiveWorkspace; async function assignRoleWithoutCheckingPermissions(roleId, toUser, ownership) { const roleSvc = new services_1.RoleService(); const toBeUpdatedRole = await roleSvc.findOne({ _id: roleId }); const roleWorkspaceId = mongodb_1.MongoDB.toString(toBeUpdatedRole.workspace); // filter: same role & same workspace roles const roles = toUser.roles .map((role) => role) .filter((role) => mongodb_1.MongoDB.toString(role.workspace) !== roleWorkspaceId) .filter((role) => mongodb_1.MongoDB.toString(role._id) !== mongodb_1.MongoDB.toString(roleId)) .map((role) => role._id); // push new role id roles.push(mongodb_1.MongoDB.toObjectId(roleId)); // update user const userSvc = new services_1.UserService(ownership); return userSvc.updateOne({ _id: toUser._id }, { roles }); } exports.assignRoleWithoutCheckingPermissions = assignRoleWithoutCheckingPermissions; async function assignRole(role, user, options) { const userSvc = new services_1.UserService(); // validate if (!user.activeRole || !user.activeWorkspace) throw new Error(`Permissions denied.`); const activeWorkspace = await getActiveWorkspace(user); if (!activeWorkspace) throw new Error(`Permissions denied.`); const activeRole = await (0, exports.getActiveRole)(user, activeWorkspace); // current role "member" -> cannot assign any roles to others if (!activeRole || activeRole.type === "member") throw new Error(`Permissions denied.`); // current role "moderator" -> cannot assign "admin" role to others if (!activeRole || (activeRole.type === "moderator" && role.type === "admin")) throw new Error(`Permissions denied.`); // remove old roles const roles = (user.roles || []) .filter((_role) => mongodb_1.MongoDB.toString(_role.workspace) !== mongodb_1.MongoDB.toString(activeWorkspace._id)) .map((_role) => _role._id); // push a new role roles.push(role._id); console.log("assignRole > new roles :>> ", roles); // update database const updateData = { roles }; if (options === null || options === void 0 ? void 0 : options.makeActive) updateData.activeRole = role; user = await userSvc.updateOne({ _id: user._id }, { roles }); // return return { user, role }; } exports.assignRole = assignRole; async function assignRoleByRoleID(roleId, user, options) { const roleSvc = new services_1.RoleService(); const role = await roleSvc.findOne({ _id: roleId }); if (!role) throw new Error(`Role not found.`); return assignRole(role, user, options); } exports.assignRoleByRoleID = assignRoleByRoleID; async function assignRoleByUserID(role, userId, options) { const user = await this.findOne({ _id: userId }); if (!user) throw new Error(`User not found.`); return assignRole(role, user, options); } exports.assignRoleByUserID = assignRoleByUserID; async function assignRoleByID(roleId, userId, options) { const roleSvc = new services_1.RoleService(); const role = await roleSvc.findOne({ _id: roleId }); if (!role) throw new Error(`Role not found.`); const user = await this.findOne({ _id: userId }); if (!user) throw new Error(`User not found.`); return assignRole(role, user, options); } exports.assignRoleByID = assignRoleByID; const makeWorkspaceActive = async (userId, workspaceId) => { const { DB } = await Promise.resolve().then(() => __importStar(require("../modules/api/DB"))); const user = await DB.updateOne("user", { _id: userId }, { activeWorkspace: workspaceId }); return user; }; exports.makeWorkspaceActive = makeWorkspaceActive; function filterSensitiveInfo(list = []) { return list.map((item) => { if (item.token) delete item.token; if (item.providers && item.providers.length > 0) item.providers.map((provider) => { delete provider.access_token; delete provider.user_id; return provider; }); return item; }); } exports.filterSensitiveInfo = filterSensitiveInfo; async function filterUsersByWorkspaceRole(workspaceId, list = []) { const wsId = workspaceId; const roleSvc = new services_1.RoleService(); const wsRoles = await roleSvc.find({ workspace: workspaceId }); // console.log("wsRoles :>> ", wsRoles); // console.log("list :>> ", list); return list .map((user) => { if (user && user.roles && user.roles.length > 0) { user.roles = user.roles.filter((role) => { if (mongodb_1.MongoDB.isValidObjectId(role)) { return wsRoles.map((r) => mongodb_1.MongoDB.toString(r._id)).includes(mongodb_1.MongoDB.toString(role)); } else if (role._id) { return wsRoles.map((r) => mongodb_1.MongoDB.toString(r._id)).includes(mongodb_1.MongoDB.toString(role._id)); } else { return false; } }); } if (user && user.workspaces && user.workspaces.length > 0) { user.workspaces = user.workspaces.filter((ws) => { if (mongodb_1.MongoDB.isValidObjectId(ws)) { return wsId === mongodb_1.MongoDB.toString(ws); } else if (ws._id) { return wsId === mongodb_1.MongoDB.toString(ws._id); } else { return false; } }); } // console.log("user.workspaces :>> ", user?.workspaces); // console.log("user.roles :>> ", user?.roles); return user; }) .filter((user) => typeof user !== "undefined" && user !== null); } exports.filterUsersByWorkspaceRole = filterUsersByWorkspaceRole; function checkProjectPermissionsById(projectId, user) { var _a, _b, _c, _d; if (!mongodb_1.MongoDB.isValidObjectId(projectId)) throw new Error(`Project ID is invalid: "${projectId}"`); if (user && ((_b = (_a = user.allowAccess) === null || _a === void 0 ? void 0 : _a.projects) === null || _b === void 0 ? void 0 : _b.length) > 0) { if (!((_d = (_c = user.allowAccess) === null || _c === void 0 ? void 0 : _c.projects) === null || _d === void 0 ? void 0 : _d.map((p) => mongodb_1.MongoDB.toString(p)).includes(mongodb_1.MongoDB.toString(projectId)))) throw new Error(`You don't have permissions in this project.`); } } exports.checkProjectPermissionsById = checkProjectPermissionsById; function checkProjectPermissions(project, user) { checkProjectPermissionsById(project._id, user); } exports.checkProjectPermissions = checkProjectPermissions; async function checkProjectPermissionsByFilter(svc, filter, user) { if (user && user.allowAccess) { const projects = await svc.find(filter); projects.forEach((project) => { // check APP access permissions checkProjectPermissions(project, user); }); } } exports.checkProjectPermissionsByFilter = checkProjectPermissionsByFilter; function checkAppPermissionsById(appId, user) { var _a, _b, _c, _d; if (!mongodb_1.MongoDB.isValidObjectId(appId)) throw new Error(`App ID is invalid: "${appId}"`); if (user && ((_b = (_a = user === null || user === void 0 ? void 0 : user.allowAccess) === null || _a === void 0 ? void 0 : _a.apps) === null || _b === void 0 ? void 0 : _b.length) > 0) { if (!((_d = (_c = user === null || user === void 0 ? void 0 : user.allowAccess) === null || _c === void 0 ? void 0 : _c.apps) === null || _d === void 0 ? void 0 : _d.map((p) => mongodb_1.MongoDB.toString(p)).includes(mongodb_1.MongoDB.toString(appId)))) { throw new Error(`Permission denied.`); } } } exports.checkAppPermissionsById = checkAppPermissionsById; function checkAppPermissions(app, user) { checkAppPermissionsById(app._id, user); } exports.checkAppPermissions = checkAppPermissions; async function checkAppPermissionsByFilter(svc, filter, user) { if (user && user.allowAccess) { const apps = await svc.find(filter); apps.forEach((app) => { // check APP access permissions checkAppPermissions(app, user); }); } } exports.checkAppPermissionsByFilter = checkAppPermissionsByFilter; async function checkProjectAndAppPermissions(svc, filter, user) { if (user && user.allowAccess) { const apps = await svc.find(filter); apps.forEach((app) => { // check PROJECT access permissions checkProjectPermissionsById(app.project, user); // check APP access permissions checkAppPermissions(app, user); }); } } exports.checkProjectAndAppPermissions = checkProjectAndAppPermissions; function checkPermissionsById(resource, id, user) { if (!mongodb_1.MongoDB.isValidObjectId(id)) throw new Error(`${(0, lodash_1.upperFirst)(resource)} ID is invalid: "${id}"`); if (user && user.allowAccess && user.allowAccess[resource] && user.allowAccess[resource].length > 0) { const allowedResources = user.allowAccess[resource]; if (!(allowedResources === null || allowedResources === void 0 ? void 0 : allowedResources.map((item) => mongodb_1.MongoDB.toString(item)).includes(mongodb_1.MongoDB.toString(id)))) throw new Error(`You don't have permissions in this ${resource}.`); } } exports.checkPermissionsById = checkPermissionsById; function checkPermissions(resource, item, user) { checkPermissionsById(resource, item._id, user); } exports.checkPermissions = checkPermissions; async function checkPermissionsByFilter(resource, svc, filter, user) { if (user && user.allowAccess && user.allowAccess[resource] && user.allowAccess[resource].length > 0) { const items = await svc.find(filter); items.forEach((item) => { checkPermissions(resource, item, user); }); } } exports.checkPermissionsByFilter = checkPermissionsByFilter;