UNPKG

mongodb-security

Version:

Portable business logic of MongoDB security model

github.com/mongodb-js/compass

mongodb-js/compass

130 lines (114 loc) 3.81 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
var ACTIONS = require('./res/actions.json'); var ROLES = require('./res/roles.json'); var each = require('lodash.foreach'); var every = require('lodash.every'); var debug = require('debug')('mongodb-security'); function inflateAction(name) { var def = ACTIONS[name]; def._id = name; return def; } var special = { db: function(s) { return ['local', 'config'].indexOf(s) > -1; }, collection: function(s) { return s.startsWith('system.'); // return ['system.profile', 'system.indexes', 'system.js', 'system.namespaces'].indexOf(s) > -1; } }; /** * returns only resources that mach a certain criterion specified by `key`. * * If the key is 'database', only return resources that correspond to a * database, e.g. {db: "foo", collection: ""}. * * If the key is 'collection', only return resources that correspond to a * collection, e.g. {db: "foo", collection: "bar"}. * * If they key is 'special', only return resources that match the special * definition (see above), or {cluster: 1} or {anyResource: 1}. * * @param {Array[Object]} resources array of resources * @param {String} key one of 'database', 'collection', 'special' * @return {[type]} return resources that only match the * given key */ var filterResources = function(resources, key) { return resources.filter(function(resource) { // first handle {cluster: 1}, {anyResource: 1} and other special resources if (resource.cluster || resource.anyResource || special.db(resource.db) || special.collection(resource.collection) || (resource.db === '' && resource.collection !== '')) { return key === 'special'; } if (key === 'database') { return resource.db !== '' && resource.collection === ''; } else if (key === 'collection') { return resource.db !== '' && resource.collection !== ''; } return false; }); }; /** * Return a list of resources for which all the specified actions are * present in the user or role document. * * @param {Object} userOrRole user or role definition * @param {Array[String]} actions list of required actions * @return {Array[Object]} list of resources containing all actions */ var getResourcesWithActions = function(userOrRole, actions, filter) { // `inheritedPrivileges` contains all privileges var privileges = userOrRole.inheritedPrivileges; var resources = []; each(privileges, function(privilege) { var allActionsPresent = every(actions, function(action) { return privilege.actions.indexOf(action) !== -1; }); if (allActionsPresent) { resources.push(privilege.resource); } }); if (filter) { return filterResources(resources, filter); } return resources; }; var inflate = function(userOrRole) { // `inheritedPrivileges` contains all privileges var privileges = userOrRole.inheritedPrivileges; privileges.sort(function(a, b) { return a.actions.length - b.actions.length; }); var res = userOrRole; res.grants = []; privileges.map(function(privilege) { if (special.db(privilege.resource.db)) { debug('skip special db privilege', privilege.resource); return false; } if (special.collection(privilege.resource.collection)) { debug('skip special collection grant', privilege.resource); return false; } var grant = { resource: privilege.resource, actions: {} }; privilege.actions.map(function(name) { grant.actions[name] = inflateAction(name); }); res.grants.push(grant); }); return res; }; module.exports = { ACTIONS: ACTIONS, ROLES: ROLES, inflate: inflate, filterResources: filterResources, getResourcesWithActions: getResourcesWithActions };