UNPKG

am-i-allowed

Version:

A generic, very powerful yet very friendly, 0 dependencies, agnostic, permissions/access-control/authorization library

github.com/dharmax/am-i-allowed

dharmax/am-i-allowed

281 lines (228 loc) 9.91 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
import {IActor, IPermissionStore, IPrivilegeManaged, Operation, PermissionsMetaData} from "./types"; import {standardPermissionChecker} from "./permission-checker"; import {DefaultOperationsTaxonomy} from "./operations-taxonomy"; /** * This is the main class. Normally you'd need just one PrivilegeManager for the whole application. * Use it to check permissions. * * * Special terms: * * The relation between ac actor to a given entity may be one of the following: * - Visitor: a not logged-in user * - User: a logged-in user, with an account * - Group Member: a user that shares the group of the entity * - a role owner: there's a role explicitly assigned to the use on the entity * */ export class PrivilegeManager { readonly operationTree: OperationTree private entityMetaDataLookup: EntityMetaDataLookup; /** * Builds a privilege manager instance. * @param store the persistence backend for the permission storage * @param operationsTransformer an optional operation tree transformer, in case you wish to alter the default one, add more operations, etc */ constructor(public store: IPermissionStore, operationsTransformer = (operationTree) => operationTree) { this.operationTree = new OperationTree(operationsTransformer(DefaultOperationsTaxonomy)) this.entityMetaDataLookup = new EntityMetaDataLookup(this) } /** * Check for if the actor is allowed to do something and throws an exception if he isn't * @param actor * @param operation * @param entity * @param specialContext for custom logic * @throws NoPrivilegeException if actor is not allowed */ async test(actor: IActor, operation: Operation, entity: IPrivilegeManaged, specialContext?: any): Promise<void> { // @ts-ignore const isAllowed = await this.isAllowed(...arguments) if (!isAllowed) { // @ts-ignore throw new NoPrivilegeException(...arguments) } } /** * Check if the actor is allowed to do * @param actor * @param operation * @param entity * @param specialContext * @return <promise> of true or false */ isAllowed(actor: IActor, operation: Operation, entity: IPrivilegeManaged, specialContext?: any): Promise<boolean> { if (!this.operationTree.find(operation)) throw new Error(`Operation ${operation.toString()} is not defined. Consider adding it to the operations tree.`) // @ts-ignore const customPermissionChecker = entity.customPermissionChecker || entity.constructor?.customPermissionChecker; if (customPermissionChecker) return customPermissionChecker(this, ...arguments) // @ts-ignore return standardPermissionChecker(this, ...arguments) } /** * @return all the actors that have explicit roles assigned on that entity * @param entity the entity */ getRoleOwners(entity: IPrivilegeManaged): Promise<{ [p: string]: string[] }> { return this.store.getRoleOwners(entity) } /** * @return all the roles explicitly assigned to the actor on any entity * @param actorId * @param skip pagination support * @param limit pagination support */ getActorRoles(actorId, skip = 0, limit = 1000): Promise<{ [entityId: string]: string[] }> { return this.store.getActorRoles(actorId, skip, limit) } /** * assign a role to use in entity * @param entity the entity * @param actor either IActor or an id * @param role the role */ assignRole(entity: IPrivilegeManaged, actor: IActor, role: Role): Promise<void> { return this.store.assignRole(entity, actor, role.roleName) } /** * @Return the roles the actor have on an entity * @param actor * @param entity */ async getRolesForActor(actor: IActor, entity: IPrivilegeManaged): Promise<Role[]> { return this.store.getRolesForUser(actor, entity, await this.findMetaData(entity)) } // noinspection JSIgnoredPromiseFromCall /** * Define a new role. Also add itself to the corresponding entityType. Y * @param roleName name of role * @param entityType The entity types this role is applicable to * @param operations the operation the role holder may do on the entities of the aforementioned types * @return the new role object */ addRole(roleName: string, operations: Operation[], entityType: (string | Function)): Role { const role = new Role(this, roleName, operations, entityType) const metaData = this.getOrAddMetaData(entityType); metaData.roles[roleName] = role this.store.saveRole(metaData.name, role).then(()=>{}) return role } /** * Define a new role. Also add itself to the corresponding entityType. You can add multiple roles, each for * different entity type if you provide more than one entity type. * @param roleName name of role * @param entityTypes The entity types this role is applicable to * @param operations the operation the role holder may do on the entities of the aforementioned types * @return the new roles objects */ addRoles(roleName: string, operations: Operation[], ...entityTypes: (string | Function)[]): Role[] { return entityTypes.map(entityType => this.addRole( roleName, operations, entityType )) } deleteRole(roleName: string, entityTypeName: string): Promise<void> { return this.store.deleteRole(roleName, entityTypeName) } async saveRole(entityTypeName: string, role: Role) { await this.store.saveRole(entityTypeName, role) } getOrAddMetaData(type: string | Function) { return this.entityMetaDataLookup.getOrAddMetaData(type) } async findMetaData(entity: IPrivilegeManaged) { return this.entityMetaDataLookup.findMetaData(entity) } } export class NoPrivilegeException extends Error { constructor(actor: IActor, operation: Operation, entity: IPrivilegeManaged, specialContext?: any) { super(`${actor.id} attempted unprivileged operation ${operation.toString()} on ${entity.id} with ${JSON.stringify(specialContext || '')}`) } message: string; name: string; } //////////////////////////////////////////// /** * This class's purpose is to holds the operation definition tree and provide the expandOperation method */ class OperationTree { private parentsMap = new Map<Operation, Operation[]>() constructor(private tree: object) { this.processTree(tree) } private processTree(tree: object) { const self = this populate(tree) function populate(node, parents: string[] = [],) { for (let [name, children] of Object.entries(node)) { const entryParents = self.parentsMap.get(name) || [] self.parentsMap.set(name, entryParents.concat(parents)) children && Object.keys(children).length && populate(children, [name, ...parents]) } } } /** * expand to include the super-operations * @param operation */ expandOperation(operation: Operation): Operation[] { if (!operation) return [] const parents = this.parentsMap.get(operation) if (parents.length) return [operation, ...parents] return [operation, ...parents, ...parents.reduce((a, c) => { a.push(...this.expandOperation(c)) return a }, [])] } find(operation: Operation): boolean { return this.parentsMap.has(operation); } } class EntityMetaDataLookup { metaDataMap = new Map<string, PermissionsMetaData>() constructor(private privilegeManager: PrivilegeManager) { } getOrAddMetaData(entityType: string | Function): PermissionsMetaData { const name = typeof entityType == 'string' ? entityType : entityType.name const clazz = typeof entityType == 'string' ? null : entityType let metadata = this.metaDataMap.get(name) if (!metadata) { // @ts-ignore metadata = clazz?.permissionsMetaData || new PermissionsMetaData(name, {}) this.metaDataMap.set(name, metadata) } return metadata } async findMetaData(entity: IPrivilegeManaged):Promise<PermissionsMetaData> { // first, we check if there's meta data on the entity itself // @ts-ignore let metaData = entity.permissionsMetaData || entity.constructor?.permissionsMetaData if (!metaData) { const entityName = entity.constructor === Object ? entity.___name : entity.constructor.name; return this.getOrAddMetaData(entityName) } // if it is defined as function - execute the function metaData = typeof metaData === 'function' ? await metaData() : metaData // validate the metadata if it wasn't validated before if (!metaData._validated) metaData._validated = this.validateMetaData(metaData) return metaData } private validateMetaData(md: PermissionsMetaData) { [...md.defaultGroupMemberPermissions, ...md.defaultUserPermissions, ...md.defaultVisitorPermissions].forEach( o => { if (!this.privilegeManager.operationTree.find(o)) throw new Error(`Operation "${o}" is not in the taxonomy`) }) return true; } } /** * Role defines the set of permitted operations. Each role is applicable to a provided entity types */ export class Role { readonly operations: Set<Operation> constructor(pm: PrivilegeManager, readonly roleName: string, operations: string[], readonly entityType: (string | Function)) { this.operations = new Set<Operation>(operations); } }