UNPKG

rbac-engine

Version:

Role-based access control engine with policy-based permissions

156 lines 7.26 kB
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); const client_dynamodb_1 = require("@aws-sdk/client-dynamodb"); const index_1 = require("../index"); const dynamodb_repo_1 = require("../db/dynamodb-repo"); const uuid_1 = require("uuid"); const dynamoClient = new client_dynamodb_1.DynamoDBClient({ region: "us-east-1", }); const accessControl = new index_1.AccessControl(dynamoClient, dynamodb_repo_1.DynamoDBRepository); async function run() { try { console.log("Setting up tables..."); await accessControl.init(); console.log("Creating contractor role..."); const contractorRoleId = (0, uuid_1.v4)(); await accessControl.createRole({ id: contractorRoleId, name: "Contractor" }); console.log("Creating contractor user..."); const contractorUser = await accessControl.createUser({ id: (0, uuid_1.v4)(), name: "Temporary Contractor" }); console.log("Assigning contractor role to user..."); await accessControl.assignRoleToUser(contractorUser.id, contractorRoleId); const now = new Date(); console.log(`Current date: ${now.toISOString()}`); const activeStart = new Date(now); activeStart.setDate(activeStart.getDate() - 30); const activeEnd = new Date(now); activeEnd.setDate(activeEnd.getDate() + 30); const futureStart = new Date(now); futureStart.setDate(futureStart.getDate() + 30); const futureEnd = new Date(now); futureEnd.setDate(futureEnd.getDate() + 60); const expiredStart = new Date(now); expiredStart.setDate(expiredStart.getDate() - 60); const expiredEnd = new Date(now); expiredEnd.setDate(expiredEnd.getDate() - 30); console.log("Creating time-based policies..."); const activePolicy = { Version: "2023-11-15", Statement: [ { Effect: index_1.Effect.Allow, Action: ["read", "update"], Resource: ["project/current"], StartDate: activeStart.toISOString(), EndDate: activeEnd.toISOString() } ] }; const activePolicyId = (0, uuid_1.v4)(); await accessControl.createPolicy({ id: activePolicyId, document: activePolicy }); const futurePolicy = { Version: "2023-11-15", Statement: [ { Effect: index_1.Effect.Allow, Action: ["read", "update"], Resource: ["project/future"], StartDate: futureStart.toISOString(), EndDate: futureEnd.toISOString() } ] }; const futurePolicyId = (0, uuid_1.v4)(); await accessControl.createPolicy({ id: futurePolicyId, document: futurePolicy }); const expiredPolicy = { Version: "2023-11-15", Statement: [ { Effect: index_1.Effect.Allow, Action: ["read", "update"], Resource: ["project/past"], StartDate: expiredStart.toISOString(), EndDate: expiredEnd.toISOString() } ] }; const expiredPolicyId = (0, uuid_1.v4)(); await accessControl.createPolicy({ id: expiredPolicyId, document: expiredPolicy }); const mixedPolicy = { Version: "2023-11-15", Statement: [ { Effect: index_1.Effect.Allow, Action: ["read"], Resource: ["project/always-readable"], }, { Effect: index_1.Effect.Allow, Action: ["update"], Resource: ["project/always-readable"], StartDate: activeStart.toISOString(), EndDate: activeEnd.toISOString() }, { Effect: index_1.Effect.Allow, Action: ["delete"], Resource: ["project/always-readable"], StartDate: futureStart.toISOString(), EndDate: futureEnd.toISOString() } ] }; const mixedPolicyId = (0, uuid_1.v4)(); await accessControl.createPolicy({ id: mixedPolicyId, document: mixedPolicy }); console.log("Attaching policies to contractor role..."); await accessControl.attachPolicyToRole(activePolicyId, contractorRoleId); await accessControl.attachPolicyToRole(futurePolicyId, contractorRoleId); await accessControl.attachPolicyToRole(expiredPolicyId, contractorRoleId); await accessControl.attachPolicyToRole(mixedPolicyId, contractorRoleId); console.log("\nTesting access control with time-based policies..."); console.log("-------------------------------------------------"); const canReadCurrent = await accessControl.hasAccess(contractorUser.id, "read", "project/current"); console.log(`Contractor can read current project: ${canReadCurrent}`); const canUpdateCurrent = await accessControl.hasAccess(contractorUser.id, "update", "project/current"); console.log(`Contractor can update current project: ${canUpdateCurrent}`); const canReadFuture = await accessControl.hasAccess(contractorUser.id, "read", "project/future"); console.log(`Contractor can read future project: ${canReadFuture}`); const canUpdateFuture = await accessControl.hasAccess(contractorUser.id, "update", "project/future"); console.log(`Contractor can update future project: ${canUpdateFuture}`); const canReadPast = await accessControl.hasAccess(contractorUser.id, "read", "project/past"); console.log(`Contractor can read past project: ${canReadPast}`); const canUpdatePast = await accessControl.hasAccess(contractorUser.id, "update", "project/past"); console.log(`Contractor can update past project: ${canUpdatePast}`); console.log("\nMixed policy tests - different statements with different time constraints:"); const canReadAlways = await accessControl.hasAccess(contractorUser.id, "read", "project/always-readable"); console.log(`Contractor can read always-readable project: ${canReadAlways}`); const canUpdateAlways = await accessControl.hasAccess(contractorUser.id, "update", "project/always-readable"); console.log(`Contractor can update always-readable project: ${canUpdateAlways}`); const canDeleteAlways = await accessControl.hasAccess(contractorUser.id, "delete", "project/always-readable"); console.log(`Contractor can delete always-readable project: ${canDeleteAlways}`); console.log("\nExample completed successfully!"); } catch (error) { console.error("Error in example:", error); } } run(); //# sourceMappingURL=time-based-policies.js.map