rbac-engine
Version:
Role-based access control engine with policy-based permissions
156 lines • 7.26 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
const client_dynamodb_1 = require("@aws-sdk/client-dynamodb");
const index_1 = require("../index");
const dynamodb_repo_1 = require("../db/dynamodb-repo");
const uuid_1 = require("uuid");
const dynamoClient = new client_dynamodb_1.DynamoDBClient({
region: "us-east-1",
});
const accessControl = new index_1.AccessControl(dynamoClient, dynamodb_repo_1.DynamoDBRepository);
async function run() {
try {
console.log("Setting up tables...");
await accessControl.init();
console.log("Creating contractor role...");
const contractorRoleId = (0, uuid_1.v4)();
await accessControl.createRole({
id: contractorRoleId,
name: "Contractor"
});
console.log("Creating contractor user...");
const contractorUser = await accessControl.createUser({
id: (0, uuid_1.v4)(),
name: "Temporary Contractor"
});
console.log("Assigning contractor role to user...");
await accessControl.assignRoleToUser(contractorUser.id, contractorRoleId);
const now = new Date();
console.log(`Current date: ${now.toISOString()}`);
const activeStart = new Date(now);
activeStart.setDate(activeStart.getDate() - 30);
const activeEnd = new Date(now);
activeEnd.setDate(activeEnd.getDate() + 30);
const futureStart = new Date(now);
futureStart.setDate(futureStart.getDate() + 30);
const futureEnd = new Date(now);
futureEnd.setDate(futureEnd.getDate() + 60);
const expiredStart = new Date(now);
expiredStart.setDate(expiredStart.getDate() - 60);
const expiredEnd = new Date(now);
expiredEnd.setDate(expiredEnd.getDate() - 30);
console.log("Creating time-based policies...");
const activePolicy = {
Version: "2023-11-15",
Statement: [
{
Effect: index_1.Effect.Allow,
Action: ["read", "update"],
Resource: ["project/current"],
StartDate: activeStart.toISOString(),
EndDate: activeEnd.toISOString()
}
]
};
const activePolicyId = (0, uuid_1.v4)();
await accessControl.createPolicy({
id: activePolicyId,
document: activePolicy
});
const futurePolicy = {
Version: "2023-11-15",
Statement: [
{
Effect: index_1.Effect.Allow,
Action: ["read", "update"],
Resource: ["project/future"],
StartDate: futureStart.toISOString(),
EndDate: futureEnd.toISOString()
}
]
};
const futurePolicyId = (0, uuid_1.v4)();
await accessControl.createPolicy({
id: futurePolicyId,
document: futurePolicy
});
const expiredPolicy = {
Version: "2023-11-15",
Statement: [
{
Effect: index_1.Effect.Allow,
Action: ["read", "update"],
Resource: ["project/past"],
StartDate: expiredStart.toISOString(),
EndDate: expiredEnd.toISOString()
}
]
};
const expiredPolicyId = (0, uuid_1.v4)();
await accessControl.createPolicy({
id: expiredPolicyId,
document: expiredPolicy
});
const mixedPolicy = {
Version: "2023-11-15",
Statement: [
{
Effect: index_1.Effect.Allow,
Action: ["read"],
Resource: ["project/always-readable"],
},
{
Effect: index_1.Effect.Allow,
Action: ["update"],
Resource: ["project/always-readable"],
StartDate: activeStart.toISOString(),
EndDate: activeEnd.toISOString()
},
{
Effect: index_1.Effect.Allow,
Action: ["delete"],
Resource: ["project/always-readable"],
StartDate: futureStart.toISOString(),
EndDate: futureEnd.toISOString()
}
]
};
const mixedPolicyId = (0, uuid_1.v4)();
await accessControl.createPolicy({
id: mixedPolicyId,
document: mixedPolicy
});
console.log("Attaching policies to contractor role...");
await accessControl.attachPolicyToRole(activePolicyId, contractorRoleId);
await accessControl.attachPolicyToRole(futurePolicyId, contractorRoleId);
await accessControl.attachPolicyToRole(expiredPolicyId, contractorRoleId);
await accessControl.attachPolicyToRole(mixedPolicyId, contractorRoleId);
console.log("\nTesting access control with time-based policies...");
console.log("-------------------------------------------------");
const canReadCurrent = await accessControl.hasAccess(contractorUser.id, "read", "project/current");
console.log(`Contractor can read current project: ${canReadCurrent}`);
const canUpdateCurrent = await accessControl.hasAccess(contractorUser.id, "update", "project/current");
console.log(`Contractor can update current project: ${canUpdateCurrent}`);
const canReadFuture = await accessControl.hasAccess(contractorUser.id, "read", "project/future");
console.log(`Contractor can read future project: ${canReadFuture}`);
const canUpdateFuture = await accessControl.hasAccess(contractorUser.id, "update", "project/future");
console.log(`Contractor can update future project: ${canUpdateFuture}`);
const canReadPast = await accessControl.hasAccess(contractorUser.id, "read", "project/past");
console.log(`Contractor can read past project: ${canReadPast}`);
const canUpdatePast = await accessControl.hasAccess(contractorUser.id, "update", "project/past");
console.log(`Contractor can update past project: ${canUpdatePast}`);
console.log("\nMixed policy tests - different statements with different time constraints:");
const canReadAlways = await accessControl.hasAccess(contractorUser.id, "read", "project/always-readable");
console.log(`Contractor can read always-readable project: ${canReadAlways}`);
const canUpdateAlways = await accessControl.hasAccess(contractorUser.id, "update", "project/always-readable");
console.log(`Contractor can update always-readable project: ${canUpdateAlways}`);
const canDeleteAlways = await accessControl.hasAccess(contractorUser.id, "delete", "project/always-readable");
console.log(`Contractor can delete always-readable project: ${canDeleteAlways}`);
console.log("\nExample completed successfully!");
}
catch (error) {
console.error("Error in example:", error);
}
}
run();
//# sourceMappingURL=time-based-policies.js.map