rbac-engine
Version:
Role-based access control engine with policy-based permissions
142 lines • 6.15 kB
JavaScript
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
const client_dynamodb_1 = require("@aws-sdk/client-dynamodb");
const index_1 = require("../index");
const dynamodb_repo_1 = require("../db/dynamodb-repo");
const uuid_1 = require("uuid");
const dynamoClient = new client_dynamodb_1.DynamoDBClient({
region: "us-east-1",
});
const accessControl = new index_1.AccessControl(dynamoClient, dynamodb_repo_1.DynamoDBRepository);
async function run() {
try {
console.log("Setting up tables...");
await accessControl.init();
const adminRoleId = (0, uuid_1.v4)();
const editorRoleId = (0, uuid_1.v4)();
const viewerRoleId = (0, uuid_1.v4)();
const adminPolicyId = (0, uuid_1.v4)();
const editorPolicyId = (0, uuid_1.v4)();
const viewerPolicyId = (0, uuid_1.v4)();
console.log("Creating roles...");
await accessControl.createRole({
id: adminRoleId,
name: "Admin"
});
await accessControl.createRole({
id: editorRoleId,
name: "Editor"
});
await accessControl.createRole({
id: viewerRoleId,
name: "Viewer"
});
console.log("Creating policies...");
const adminPolicyDocument = {
Version: "2023-11-15",
Statement: [
{
Effect: index_1.Effect.Allow,
Action: ["*"],
Resource: ["*"]
}
]
};
await accessControl.createPolicy({
id: adminPolicyId,
document: adminPolicyDocument
});
const editorPolicyDocument = {
Version: "2023-11-15",
Statement: [
{
Effect: index_1.Effect.Allow,
Action: ["read", "create", "update"],
Resource: ["document/*"]
}
]
};
await accessControl.createPolicy({
id: editorPolicyId,
document: editorPolicyDocument
});
const viewerPolicyDocument = {
Version: "2023-11-15",
Statement: [
{
Effect: index_1.Effect.Allow,
Action: ["read"],
Resource: ["document/*"]
}
]
};
await accessControl.createPolicy({
id: viewerPolicyId,
document: viewerPolicyDocument
});
console.log("Attaching policies to roles...");
await accessControl.attachPolicyToRole(adminPolicyId, adminRoleId);
await accessControl.attachPolicyToRole(editorPolicyId, editorRoleId);
await accessControl.attachPolicyToRole(viewerPolicyId, viewerRoleId);
console.log("Creating users...");
const adminUser = await accessControl.createUser({
id: (0, uuid_1.v4)(),
name: "Admin User"
});
const editorUser = await accessControl.createUser({
id: (0, uuid_1.v4)(),
name: "Editor User"
});
const viewerUser = await accessControl.createUser({
id: (0, uuid_1.v4)(),
name: "Viewer User"
});
console.log("Assigning roles to users...");
await accessControl.assignRoleToUser(adminUser.id, adminRoleId);
await accessControl.assignRoleToUser(editorUser.id, editorRoleId);
await accessControl.assignRoleToUser(viewerUser.id, viewerRoleId);
console.log("Testing access control...");
const adminCanCreate = await accessControl.hasAccess(adminUser.id, "create", "document/123");
console.log(`Admin can create document: ${adminCanCreate}`);
const adminCanDelete = await accessControl.hasAccess(adminUser.id, "delete", "document/123");
console.log(`Admin can delete document: ${adminCanDelete}`);
const editorCanCreate = await accessControl.hasAccess(editorUser.id, "create", "document/123");
console.log(`Editor can create document: ${editorCanCreate}`);
const editorCanUpdate = await accessControl.hasAccess(editorUser.id, "update", "document/123");
console.log(`Editor can update document: ${editorCanUpdate}`);
const editorCanDelete = await accessControl.hasAccess(editorUser.id, "delete", "document/123");
console.log(`Editor can delete document: ${editorCanDelete}`);
const viewerCanRead = await accessControl.hasAccess(viewerUser.id, "read", "document/123");
console.log(`Viewer can read document: ${viewerCanRead}`);
const viewerCanUpdate = await accessControl.hasAccess(viewerUser.id, "update", "document/123");
console.log(`Viewer can update document: ${viewerCanUpdate}`);
console.log("Testing with conditions...");
const conditionalPolicyId = (0, uuid_1.v4)();
const conditionalPolicy = {
Version: "2023-11-15",
Statement: [
{
Effect: index_1.Effect.Allow,
Action: ["read"],
Resource: ["sensitive-document/*"],
Condition: { department: "finance" }
}
]
};
await accessControl.createPolicy({
id: conditionalPolicyId,
document: conditionalPolicy
});
await accessControl.attachPolicyToRole(conditionalPolicyId, viewerRoleId);
const viewerFinanceContext = await accessControl.hasAccess(viewerUser.id, "read", "sensitive-document/budget", { department: "finance" });
console.log(`Viewer from finance can read sensitive document: ${viewerFinanceContext}`);
const viewerHRContext = await accessControl.hasAccess(viewerUser.id, "read", "sensitive-document/budget", { department: "hr" });
console.log(`Viewer from HR can read sensitive document: ${viewerHRContext}`);
console.log("Example completed successfully!");
}
catch (error) {
console.error("Error in example:", error);
}
}
run();
//# sourceMappingURL=dynamodb-basic.js.map