@api-client/core 0.19.41 → 0.20.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/src/index.d.ts +2 -1
- package/build/src/index.d.ts.map +1 -1
- package/build/src/index.js +4 -0
- package/build/src/index.js.map +1 -1
- package/build/src/modeling/RuntimeApiModel.d.ts +25 -0
- package/build/src/modeling/RuntimeApiModel.d.ts.map +1 -1
- package/build/src/modeling/RuntimeApiModel.js +158 -0
- package/build/src/modeling/RuntimeApiModel.js.map +1 -1
- package/build/src/modeling/helpers/runtime.d.ts +5 -0
- package/build/src/modeling/helpers/runtime.d.ts.map +1 -0
- package/build/src/modeling/helpers/runtime.js +12 -0
- package/build/src/modeling/helpers/runtime.js.map +1 -0
- package/build/src/modeling/index.d.ts +1 -0
- package/build/src/modeling/index.d.ts.map +1 -1
- package/build/src/modeling/index.js.map +1 -1
- package/build/src/modeling/rules/AccessRule.d.ts +40 -1
- package/build/src/modeling/rules/AccessRule.d.ts.map +1 -1
- package/build/src/modeling/rules/AccessRule.js +44 -2
- package/build/src/modeling/rules/AccessRule.js.map +1 -1
- package/build/src/modeling/rules/AllowAuthenticated.d.ts.map +1 -1
- package/build/src/modeling/rules/AllowAuthenticated.js +9 -2
- package/build/src/modeling/rules/AllowAuthenticated.js.map +1 -1
- package/build/src/modeling/rules/AllowPublic.d.ts.map +1 -1
- package/build/src/modeling/rules/AllowPublic.js +9 -2
- package/build/src/modeling/rules/AllowPublic.js.map +1 -1
- package/build/src/modeling/rules/LifecycleStatus.d.ts +36 -0
- package/build/src/modeling/rules/LifecycleStatus.d.ts.map +1 -0
- package/build/src/modeling/rules/LifecycleStatus.js +60 -0
- package/build/src/modeling/rules/LifecycleStatus.js.map +1 -0
- package/build/src/modeling/rules/MatchEmailDomain.d.ts.map +1 -1
- package/build/src/modeling/rules/MatchEmailDomain.js +9 -2
- package/build/src/modeling/rules/MatchEmailDomain.js.map +1 -1
- package/build/src/modeling/rules/MatchResourceAttribute.d.ts +38 -0
- package/build/src/modeling/rules/MatchResourceAttribute.d.ts.map +1 -0
- package/build/src/modeling/rules/MatchResourceAttribute.js +68 -0
- package/build/src/modeling/rules/MatchResourceAttribute.js.map +1 -0
- package/build/src/modeling/rules/MatchResourceOwner.d.ts.map +1 -1
- package/build/src/modeling/rules/MatchResourceOwner.js +8 -2
- package/build/src/modeling/rules/MatchResourceOwner.js.map +1 -1
- package/build/src/modeling/rules/MatchUserProperty.d.ts.map +1 -1
- package/build/src/modeling/rules/MatchUserProperty.js +9 -2
- package/build/src/modeling/rules/MatchUserProperty.js.map +1 -1
- package/build/src/modeling/rules/MatchUserRole.d.ts.map +1 -1
- package/build/src/modeling/rules/MatchUserRole.js +9 -2
- package/build/src/modeling/rules/MatchUserRole.js.map +1 -1
- package/build/src/modeling/rules/index.d.ts +8 -6
- package/build/src/modeling/rules/index.d.ts.map +1 -1
- package/build/src/modeling/rules/index.js +8 -2
- package/build/src/modeling/rules/index.js.map +1 -1
- package/build/src/modeling/types.d.ts +3 -4
- package/build/src/modeling/types.d.ts.map +1 -1
- package/build/src/modeling/types.js.map +1 -1
- package/build/src/modeling/validation/api_model_rules.js +1 -1
- package/build/src/modeling/validation/api_model_rules.js.map +1 -1
- package/build/tsconfig.tsbuildinfo +1 -1
- package/package.json +1 -1
- package/src/modeling/RuntimeApiModel.ts +194 -2
- package/src/modeling/helpers/runtime.ts +12 -0
- package/src/modeling/rules/AccessRule.ts +70 -2
- package/src/modeling/rules/AllowAuthenticated.ts +13 -2
- package/src/modeling/rules/AllowPublic.ts +13 -2
- package/src/modeling/rules/LifecycleStatus.ts +71 -0
- package/src/modeling/rules/MatchEmailDomain.ts +13 -2
- package/src/modeling/rules/MatchResourceAttribute.ts +82 -0
- package/src/modeling/rules/MatchResourceOwner.ts +12 -2
- package/src/modeling/rules/MatchUserProperty.ts +13 -2
- package/src/modeling/rules/MatchUserRole.ts +13 -2
- package/src/modeling/types.ts +3 -4
- package/src/modeling/validation/api_model_rules.ts +1 -1
- package/tests/unit/modeling/RuntimeApiModel.spec.ts +247 -1
- package/tests/unit/modeling/actions/Action.spec.ts +2 -2
- package/tests/unit/modeling/actions/CreateAction.spec.ts +1 -1
- package/tests/unit/modeling/actions/ReadAction.spec.ts +2 -2
- package/tests/unit/modeling/api_model.spec.ts +6 -6
- package/tests/unit/modeling/exposed_entity.spec.ts +1 -1
- package/tests/unit/modeling/generators/OasGenerator.spec.ts +1 -1
- package/tests/unit/modeling/helpers/runtime.spec.ts +48 -0
- package/tests/unit/modeling/rules/AccessRule.spec.ts +5 -5
- package/tests/unit/modeling/rules/LifecycleStatus.spec.ts +55 -0
- package/tests/unit/modeling/rules/MatchResourceAttribute.spec.ts +66 -0
- package/tests/unit/modeling/validation/api_model_rules.spec.ts +2 -2
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { AccessRule } from './AccessRule.js';
|
|
1
|
+
import { AccessRule, AccessRuleExecutionPhase } from './AccessRule.js';
|
|
2
2
|
/**
|
|
3
3
|
* The action is allowed for any authenticated user.
|
|
4
4
|
* This rule does not impose any additional restrictions based on user properties or resource ownership.
|
|
@@ -7,7 +7,14 @@ import { AccessRule } from './AccessRule.js';
|
|
|
7
7
|
export class AllowAuthenticatedAccessRule extends AccessRule {
|
|
8
8
|
type;
|
|
9
9
|
constructor(parent, state = {}) {
|
|
10
|
-
super(parent,
|
|
10
|
+
super(parent, {
|
|
11
|
+
list: AccessRuleExecutionPhase.PRE_FETCH,
|
|
12
|
+
create: AccessRuleExecutionPhase.PRE_FETCH,
|
|
13
|
+
search: AccessRuleExecutionPhase.PRE_FETCH,
|
|
14
|
+
read: AccessRuleExecutionPhase.PRE_FETCH,
|
|
15
|
+
update: AccessRuleExecutionPhase.PRE_FETCH,
|
|
16
|
+
delete: AccessRuleExecutionPhase.PRE_FETCH,
|
|
17
|
+
}, state);
|
|
11
18
|
this.type = 'allowAuthenticated';
|
|
12
19
|
}
|
|
13
20
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"AllowAuthenticated.js","sourceRoot":"","sources":["../../../../src/modeling/rules/AllowAuthenticated.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAyB,MAAM,iBAAiB,CAAA;
|
|
1
|
+
{"version":3,"file":"AllowAuthenticated.js","sourceRoot":"","sources":["../../../../src/modeling/rules/AllowAuthenticated.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAE,wBAAwB,EAAyB,MAAM,iBAAiB,CAAA;AAW7F;;;;GAIG;AACH,MAAM,OAAO,4BAA6B,SAAQ,UAAU;IACxC,IAAI,CAAsB;IAE5C,YAAY,MAAyC,EAAE,QAAqD,EAAE;QAC5G,KAAK,CACH,MAAM,EACN;YACE,IAAI,EAAE,wBAAwB,CAAC,SAAS;YACxC,MAAM,EAAE,wBAAwB,CAAC,SAAS;YAC1C,MAAM,EAAE,wBAAwB,CAAC,SAAS;YAC1C,IAAI,EAAE,wBAAwB,CAAC,SAAS;YACxC,MAAM,EAAE,wBAAwB,CAAC,SAAS;YAC1C,MAAM,EAAE,wBAAwB,CAAC,SAAS;SAC3C,EACD,KAAK,CACN,CAAA;QACD,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAA;IAClC,CAAC;CACF","sourcesContent":["import type { Action } from '../actions/Action.js'\nimport type { ApiModel } from '../ApiModel.js'\nimport type { ExposedEntity } from '../ExposedEntity.js'\nimport { AccessRule, AccessRuleExecutionPhase, type AccessRuleSchema } from './AccessRule.js'\n\n/**\n * The action is allowed for any authenticated user.\n * This rule does not impose any additional restrictions based on user properties or resource ownership.\n * It is used for resources that should be accessible to all logged-in users.\n */\nexport interface AllowAuthenticatedAccessRuleSchema extends AccessRuleSchema {\n type: 'allowAuthenticated'\n}\n\n/**\n * The action is allowed for any authenticated user.\n * This rule does not impose any additional restrictions based on user properties or resource ownership.\n * It is used for resources that should be accessible to all logged-in users.\n */\nexport class AllowAuthenticatedAccessRule extends AccessRule implements AllowAuthenticatedAccessRuleSchema {\n override readonly type: 'allowAuthenticated'\n\n constructor(parent: ExposedEntity | ApiModel | Action, state: Partial<AllowAuthenticatedAccessRuleSchema> = {}) {\n super(\n parent,\n {\n list: AccessRuleExecutionPhase.PRE_FETCH,\n create: AccessRuleExecutionPhase.PRE_FETCH,\n search: AccessRuleExecutionPhase.PRE_FETCH,\n read: AccessRuleExecutionPhase.PRE_FETCH,\n update: AccessRuleExecutionPhase.PRE_FETCH,\n delete: AccessRuleExecutionPhase.PRE_FETCH,\n },\n state\n )\n this.type = 'allowAuthenticated'\n }\n}\n"]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"AllowPublic.d.ts","sourceRoot":"","sources":["../../../../src/modeling/rules/AllowPublic.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACxD,OAAO,EAAE,UAAU,
|
|
1
|
+
{"version":3,"file":"AllowPublic.d.ts","sourceRoot":"","sources":["../../../../src/modeling/rules/AllowPublic.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACxD,OAAO,EAAE,UAAU,EAA4B,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAA;AAE7F;;;;GAIG;AACH,MAAM,WAAW,2BAA4B,SAAQ,gBAAgB;IACnE,IAAI,EAAE,aAAa,CAAA;CACpB;AAED;;;;GAIG;AACH,qBAAa,qBAAsB,SAAQ,UAAW,YAAW,2BAA2B;IAC1F,SAAkB,IAAI,EAAE,aAAa,CAAA;gBAEzB,MAAM,EAAE,aAAa,GAAG,QAAQ,GAAG,MAAM,EAAE,KAAK,GAAE,OAAO,CAAC,2BAA2B,CAAM;CAexG"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { AccessRule } from './AccessRule.js';
|
|
1
|
+
import { AccessRule, AccessRuleExecutionPhase } from './AccessRule.js';
|
|
2
2
|
/**
|
|
3
3
|
* The action is allowed for all users, including unauthenticated ones.
|
|
4
4
|
* This is typically used for public APIs or resources that do not require authentication.
|
|
@@ -7,7 +7,14 @@ import { AccessRule } from './AccessRule.js';
|
|
|
7
7
|
export class AllowPublicAccessRule extends AccessRule {
|
|
8
8
|
type;
|
|
9
9
|
constructor(parent, state = {}) {
|
|
10
|
-
super(parent,
|
|
10
|
+
super(parent, {
|
|
11
|
+
list: AccessRuleExecutionPhase.PRE_FETCH,
|
|
12
|
+
create: AccessRuleExecutionPhase.PRE_FETCH,
|
|
13
|
+
search: AccessRuleExecutionPhase.PRE_FETCH,
|
|
14
|
+
read: AccessRuleExecutionPhase.PRE_FETCH,
|
|
15
|
+
update: AccessRuleExecutionPhase.PRE_FETCH,
|
|
16
|
+
delete: AccessRuleExecutionPhase.PRE_FETCH,
|
|
17
|
+
}, state);
|
|
11
18
|
this.type = 'allowPublic';
|
|
12
19
|
}
|
|
13
20
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"AllowPublic.js","sourceRoot":"","sources":["../../../../src/modeling/rules/AllowPublic.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAyB,MAAM,iBAAiB,CAAA;
|
|
1
|
+
{"version":3,"file":"AllowPublic.js","sourceRoot":"","sources":["../../../../src/modeling/rules/AllowPublic.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAE,wBAAwB,EAAyB,MAAM,iBAAiB,CAAA;AAW7F;;;;GAIG;AACH,MAAM,OAAO,qBAAsB,SAAQ,UAAU;IACjC,IAAI,CAAe;IAErC,YAAY,MAAyC,EAAE,QAA8C,EAAE;QACrG,KAAK,CACH,MAAM,EACN;YACE,IAAI,EAAE,wBAAwB,CAAC,SAAS;YACxC,MAAM,EAAE,wBAAwB,CAAC,SAAS;YAC1C,MAAM,EAAE,wBAAwB,CAAC,SAAS;YAC1C,IAAI,EAAE,wBAAwB,CAAC,SAAS;YACxC,MAAM,EAAE,wBAAwB,CAAC,SAAS;YAC1C,MAAM,EAAE,wBAAwB,CAAC,SAAS;SAC3C,EACD,KAAK,CACN,CAAA;QACD,IAAI,CAAC,IAAI,GAAG,aAAa,CAAA;IAC3B,CAAC;CACF","sourcesContent":["import type { Action } from '../actions/Action.js'\nimport type { ApiModel } from '../ApiModel.js'\nimport type { ExposedEntity } from '../ExposedEntity.js'\nimport { AccessRule, AccessRuleExecutionPhase, type AccessRuleSchema } from './AccessRule.js'\n\n/**\n * The action is allowed for all users, including unauthenticated ones.\n * This is typically used for public APIs or resources that do not require authentication.\n * It is the most permissive rule and should be used with caution.\n */\nexport interface AllowPublicAccessRuleSchema extends AccessRuleSchema {\n type: 'allowPublic'\n}\n\n/**\n * The action is allowed for all users, including unauthenticated ones.\n * This is typically used for public APIs or resources that do not require authentication.\n * It is the most permissive rule and should be used with caution.\n */\nexport class AllowPublicAccessRule extends AccessRule implements AllowPublicAccessRuleSchema {\n override readonly type: 'allowPublic'\n\n constructor(parent: ExposedEntity | ApiModel | Action, state: Partial<AllowPublicAccessRuleSchema> = {}) {\n super(\n parent,\n {\n list: AccessRuleExecutionPhase.PRE_FETCH,\n create: AccessRuleExecutionPhase.PRE_FETCH,\n search: AccessRuleExecutionPhase.PRE_FETCH,\n read: AccessRuleExecutionPhase.PRE_FETCH,\n update: AccessRuleExecutionPhase.PRE_FETCH,\n delete: AccessRuleExecutionPhase.PRE_FETCH,\n },\n state\n )\n this.type = 'allowPublic'\n }\n}\n"]}
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
import type { Action } from '../actions/Action.js';
|
|
2
|
+
import type { ApiModel } from '../ApiModel.js';
|
|
3
|
+
import type { ExposedEntity } from '../ExposedEntity.js';
|
|
4
|
+
import { AccessRule, type AccessRuleSchema } from './AccessRule.js';
|
|
5
|
+
/**
|
|
6
|
+
* A specialized rule for entities using Status Semantics;
|
|
7
|
+
* ensures specific status records (e.g. "Archived" or "Draft") are granted or restricted.
|
|
8
|
+
*
|
|
9
|
+
* Since the data domain requires for an entity to have at the most one Status semantic, it is
|
|
10
|
+
* clear which field to use.
|
|
11
|
+
*/
|
|
12
|
+
export interface LifecycleStatusAccessRuleSchema extends AccessRuleSchema {
|
|
13
|
+
type: 'lifecycleStatus';
|
|
14
|
+
/**
|
|
15
|
+
* The statuses that are allowed access. If the resource's status is not in this list,
|
|
16
|
+
* access will be denied by this rule (or un-handled if permission phase).
|
|
17
|
+
*/
|
|
18
|
+
allowedStatuses?: string[];
|
|
19
|
+
/**
|
|
20
|
+
* The statuses that are explicitly denied access. If the resource's status is in this list,
|
|
21
|
+
* access will be denied.
|
|
22
|
+
*/
|
|
23
|
+
deniedStatuses?: string[];
|
|
24
|
+
}
|
|
25
|
+
/**
|
|
26
|
+
* A specialized rule for entities using Status Semantics;
|
|
27
|
+
* ensures specific status records (e.g. "Archived" or "Draft") are granted or restricted.
|
|
28
|
+
*/
|
|
29
|
+
export declare class LifecycleStatusAccessRule extends AccessRule implements LifecycleStatusAccessRuleSchema {
|
|
30
|
+
readonly type: 'lifecycleStatus';
|
|
31
|
+
accessor allowedStatuses: string[];
|
|
32
|
+
accessor deniedStatuses: string[];
|
|
33
|
+
constructor(parent: ExposedEntity | ApiModel | Action, state?: Partial<LifecycleStatusAccessRuleSchema>);
|
|
34
|
+
toJSON(): LifecycleStatusAccessRuleSchema;
|
|
35
|
+
}
|
|
36
|
+
//# sourceMappingURL=LifecycleStatus.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"LifecycleStatus.d.ts","sourceRoot":"","sources":["../../../../src/modeling/rules/LifecycleStatus.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACxD,OAAO,EAAE,UAAU,EAA4B,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAA;AAG7F;;;;;;GAMG;AACH,MAAM,WAAW,+BAAgC,SAAQ,gBAAgB;IACvE,IAAI,EAAE,iBAAiB,CAAA;IAEvB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAE1B;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;CAC1B;AAED;;;GAGG;AACH,qBAAa,yBAA0B,SAAQ,UAAW,YAAW,+BAA+B;IAClG,SAAkB,IAAI,EAAE,iBAAiB,CAAA;IAEf,QAAQ,CAAC,eAAe,EAAE,MAAM,EAAE,CAAA;IAClC,QAAQ,CAAC,cAAc,EAAE,MAAM,EAAE,CAAA;gBAE/C,MAAM,EAAE,aAAa,GAAG,QAAQ,GAAG,MAAM,EAAE,KAAK,GAAE,OAAO,CAAC,+BAA+B,CAAM;IAiBlG,MAAM,IAAI,+BAA+B;CAcnD"}
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
import { __esDecorate, __runInitializers } from "tslib";
|
|
2
|
+
import { AccessRule, AccessRuleExecutionPhase } from './AccessRule.js';
|
|
3
|
+
import { observed, toRaw } from '../../decorators/observed.js';
|
|
4
|
+
/**
|
|
5
|
+
* A specialized rule for entities using Status Semantics;
|
|
6
|
+
* ensures specific status records (e.g. "Archived" or "Draft") are granted or restricted.
|
|
7
|
+
*/
|
|
8
|
+
let LifecycleStatusAccessRule = (() => {
|
|
9
|
+
let _classSuper = AccessRule;
|
|
10
|
+
let _allowedStatuses_decorators;
|
|
11
|
+
let _allowedStatuses_initializers = [];
|
|
12
|
+
let _allowedStatuses_extraInitializers = [];
|
|
13
|
+
let _deniedStatuses_decorators;
|
|
14
|
+
let _deniedStatuses_initializers = [];
|
|
15
|
+
let _deniedStatuses_extraInitializers = [];
|
|
16
|
+
return class LifecycleStatusAccessRule extends _classSuper {
|
|
17
|
+
static {
|
|
18
|
+
const _metadata = typeof Symbol === "function" && Symbol.metadata ? Object.create(_classSuper[Symbol.metadata] ?? null) : void 0;
|
|
19
|
+
_allowedStatuses_decorators = [observed({ deep: true })];
|
|
20
|
+
_deniedStatuses_decorators = [observed({ deep: true })];
|
|
21
|
+
__esDecorate(this, null, _allowedStatuses_decorators, { kind: "accessor", name: "allowedStatuses", static: false, private: false, access: { has: obj => "allowedStatuses" in obj, get: obj => obj.allowedStatuses, set: (obj, value) => { obj.allowedStatuses = value; } }, metadata: _metadata }, _allowedStatuses_initializers, _allowedStatuses_extraInitializers);
|
|
22
|
+
__esDecorate(this, null, _deniedStatuses_decorators, { kind: "accessor", name: "deniedStatuses", static: false, private: false, access: { has: obj => "deniedStatuses" in obj, get: obj => obj.deniedStatuses, set: (obj, value) => { obj.deniedStatuses = value; } }, metadata: _metadata }, _deniedStatuses_initializers, _deniedStatuses_extraInitializers);
|
|
23
|
+
if (_metadata) Object.defineProperty(this, Symbol.metadata, { enumerable: true, configurable: true, writable: true, value: _metadata });
|
|
24
|
+
}
|
|
25
|
+
type;
|
|
26
|
+
#allowedStatuses_accessor_storage = __runInitializers(this, _allowedStatuses_initializers, void 0);
|
|
27
|
+
get allowedStatuses() { return this.#allowedStatuses_accessor_storage; }
|
|
28
|
+
set allowedStatuses(value) { this.#allowedStatuses_accessor_storage = value; }
|
|
29
|
+
#deniedStatuses_accessor_storage = (__runInitializers(this, _allowedStatuses_extraInitializers), __runInitializers(this, _deniedStatuses_initializers, void 0));
|
|
30
|
+
get deniedStatuses() { return this.#deniedStatuses_accessor_storage; }
|
|
31
|
+
set deniedStatuses(value) { this.#deniedStatuses_accessor_storage = value; }
|
|
32
|
+
constructor(parent, state = {}) {
|
|
33
|
+
super(parent, {
|
|
34
|
+
list: AccessRuleExecutionPhase.FETCH,
|
|
35
|
+
search: AccessRuleExecutionPhase.FETCH,
|
|
36
|
+
read: AccessRuleExecutionPhase.POST_FETCH,
|
|
37
|
+
update: AccessRuleExecutionPhase.POST_FETCH,
|
|
38
|
+
delete: AccessRuleExecutionPhase.POST_FETCH,
|
|
39
|
+
}, state);
|
|
40
|
+
__runInitializers(this, _deniedStatuses_extraInitializers);
|
|
41
|
+
this.type = 'lifecycleStatus';
|
|
42
|
+
this.allowedStatuses = state.allowedStatuses ? [...state.allowedStatuses] : [];
|
|
43
|
+
this.deniedStatuses = state.deniedStatuses ? [...state.deniedStatuses] : [];
|
|
44
|
+
}
|
|
45
|
+
toJSON() {
|
|
46
|
+
const json = {
|
|
47
|
+
...super.toJSON(),
|
|
48
|
+
};
|
|
49
|
+
if (this.allowedStatuses.length > 0) {
|
|
50
|
+
json.allowedStatuses = structuredClone(toRaw(this, this.allowedStatuses));
|
|
51
|
+
}
|
|
52
|
+
if (this.deniedStatuses.length > 0) {
|
|
53
|
+
json.deniedStatuses = structuredClone(toRaw(this, this.deniedStatuses));
|
|
54
|
+
}
|
|
55
|
+
return json;
|
|
56
|
+
}
|
|
57
|
+
};
|
|
58
|
+
})();
|
|
59
|
+
export { LifecycleStatusAccessRule };
|
|
60
|
+
//# sourceMappingURL=LifecycleStatus.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"LifecycleStatus.js","sourceRoot":"","sources":["../../../../src/modeling/rules/LifecycleStatus.ts"],"names":[],"mappings":";AAGA,OAAO,EAAE,UAAU,EAAE,wBAAwB,EAAyB,MAAM,iBAAiB,CAAA;AAC7F,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,8BAA8B,CAAA;AAyB9D;;;GAGG;IACU,yBAAyB;sBAAS,UAAU;;;;;;;iBAA5C,yBAA0B,SAAQ,WAAU;;;2CAGtD,QAAQ,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;0CACxB,QAAQ,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;YADC,kMAAS,eAAe,6BAAf,eAAe,yGAAU;YAClC,+LAAS,cAAc,6BAAd,cAAc,uGAAU;;;QAHzC,IAAI,CAAmB;QAEf,mGAAkC;QAAlC,IAAS,eAAe,qDAAU;QAAlC,IAAS,eAAe,2DAAU;QAClC,gKAAiC;QAAjC,IAAS,cAAc,oDAAU;QAAjC,IAAS,cAAc,0DAAU;QAE3D,YAAY,MAAyC,EAAE,QAAkD,EAAE;YACzG,KAAK,CACH,MAAM,EACN;gBACE,IAAI,EAAE,wBAAwB,CAAC,KAAK;gBACpC,MAAM,EAAE,wBAAwB,CAAC,KAAK;gBACtC,IAAI,EAAE,wBAAwB,CAAC,UAAU;gBACzC,MAAM,EAAE,wBAAwB,CAAC,UAAU;gBAC3C,MAAM,EAAE,wBAAwB,CAAC,UAAU;aAC5C,EACD,KAAK,CACN,CAAA;;YACD,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAA;YAC7B,IAAI,CAAC,eAAe,GAAG,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YAC9E,IAAI,CAAC,cAAc,GAAG,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;SAC5E;QAEQ,MAAM;YACb,MAAM,IAAI,GAAoC;gBAC5C,GAAI,KAAK,CAAC,MAAM,EAAsC;aACvD,CAAA;YAED,IAAI,IAAI,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpC,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,eAAe,CAAC,CAAa,CAAA;YACvF,CAAC;YACD,IAAI,IAAI,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACnC,IAAI,CAAC,cAAc,GAAG,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,cAAc,CAAC,CAAa,CAAA;YACrF,CAAC;YAED,OAAO,IAAI,CAAA;QACb,CAAC;;;SApCU,yBAAyB","sourcesContent":["import type { Action } from '../actions/Action.js'\nimport type { ApiModel } from '../ApiModel.js'\nimport type { ExposedEntity } from '../ExposedEntity.js'\nimport { AccessRule, AccessRuleExecutionPhase, type AccessRuleSchema } from './AccessRule.js'\nimport { observed, toRaw } from '../../decorators/observed.js'\n\n/**\n * A specialized rule for entities using Status Semantics;\n * ensures specific status records (e.g. \"Archived\" or \"Draft\") are granted or restricted.\n *\n * Since the data domain requires for an entity to have at the most one Status semantic, it is\n * clear which field to use.\n */\nexport interface LifecycleStatusAccessRuleSchema extends AccessRuleSchema {\n type: 'lifecycleStatus'\n\n /**\n * The statuses that are allowed access. If the resource's status is not in this list,\n * access will be denied by this rule (or un-handled if permission phase).\n */\n allowedStatuses?: string[]\n\n /**\n * The statuses that are explicitly denied access. If the resource's status is in this list,\n * access will be denied.\n */\n deniedStatuses?: string[]\n}\n\n/**\n * A specialized rule for entities using Status Semantics;\n * ensures specific status records (e.g. \"Archived\" or \"Draft\") are granted or restricted.\n */\nexport class LifecycleStatusAccessRule extends AccessRule implements LifecycleStatusAccessRuleSchema {\n override readonly type: 'lifecycleStatus'\n\n @observed({ deep: true }) accessor allowedStatuses: string[]\n @observed({ deep: true }) accessor deniedStatuses: string[]\n\n constructor(parent: ExposedEntity | ApiModel | Action, state: Partial<LifecycleStatusAccessRuleSchema> = {}) {\n super(\n parent,\n {\n list: AccessRuleExecutionPhase.FETCH,\n search: AccessRuleExecutionPhase.FETCH,\n read: AccessRuleExecutionPhase.POST_FETCH,\n update: AccessRuleExecutionPhase.POST_FETCH,\n delete: AccessRuleExecutionPhase.POST_FETCH,\n },\n state\n )\n this.type = 'lifecycleStatus'\n this.allowedStatuses = state.allowedStatuses ? [...state.allowedStatuses] : []\n this.deniedStatuses = state.deniedStatuses ? [...state.deniedStatuses] : []\n }\n\n override toJSON(): LifecycleStatusAccessRuleSchema {\n const json: LifecycleStatusAccessRuleSchema = {\n ...(super.toJSON() as LifecycleStatusAccessRuleSchema),\n }\n\n if (this.allowedStatuses.length > 0) {\n json.allowedStatuses = structuredClone(toRaw(this, this.allowedStatuses)) as string[]\n }\n if (this.deniedStatuses.length > 0) {\n json.deniedStatuses = structuredClone(toRaw(this, this.deniedStatuses)) as string[]\n }\n\n return json\n }\n}\n"]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"MatchEmailDomain.d.ts","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchEmailDomain.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACxD,OAAO,EAAE,UAAU,
|
|
1
|
+
{"version":3,"file":"MatchEmailDomain.d.ts","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchEmailDomain.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACxD,OAAO,EAAE,UAAU,EAA4B,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAA;AAG7F;;;;GAIG;AACH,MAAM,WAAW,gCAAiC,SAAQ,gBAAgB;IACxE,IAAI,EAAE,kBAAkB,CAAA;IACxB;;OAEG;IACH,OAAO,EAAE,MAAM,EAAE,CAAA;CAClB;AAED;;;;GAIG;AACH,qBAAa,0BAA2B,SAAQ,UAAW,YAAW,gCAAgC;IACpG,SAAkB,IAAI,EAAE,kBAAkB,CAAA;IAEhB,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,CAAA;gBAExC,MAAM,EAAE,aAAa,GAAG,QAAQ,GAAG,MAAM,EAAE,KAAK,GAAE,OAAO,CAAC,gCAAgC,CAAM;IAiBnG,MAAM,IAAI,gCAAgC;CAMpD"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { __esDecorate, __runInitializers } from "tslib";
|
|
2
|
-
import { AccessRule } from './AccessRule.js';
|
|
2
|
+
import { AccessRule, AccessRuleExecutionPhase } from './AccessRule.js';
|
|
3
3
|
import { observed, toRaw } from '../../decorators/observed.js';
|
|
4
4
|
/**
|
|
5
5
|
* The action is allowed if the authenticated user's email domain matches a specific domain.
|
|
@@ -23,7 +23,14 @@ let MatchEmailDomainAccessRule = (() => {
|
|
|
23
23
|
get domains() { return this.#domains_accessor_storage; }
|
|
24
24
|
set domains(value) { this.#domains_accessor_storage = value; }
|
|
25
25
|
constructor(parent, state = {}) {
|
|
26
|
-
super(parent,
|
|
26
|
+
super(parent, {
|
|
27
|
+
list: AccessRuleExecutionPhase.PRE_FETCH,
|
|
28
|
+
create: AccessRuleExecutionPhase.PRE_FETCH,
|
|
29
|
+
search: AccessRuleExecutionPhase.PRE_FETCH,
|
|
30
|
+
read: AccessRuleExecutionPhase.PRE_FETCH,
|
|
31
|
+
update: AccessRuleExecutionPhase.PRE_FETCH,
|
|
32
|
+
delete: AccessRuleExecutionPhase.PRE_FETCH,
|
|
33
|
+
}, state);
|
|
27
34
|
__runInitializers(this, _domains_extraInitializers);
|
|
28
35
|
this.type = 'matchEmailDomain';
|
|
29
36
|
this.domains = state.domains ? [...state.domains] : [];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"MatchEmailDomain.js","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchEmailDomain.ts"],"names":[],"mappings":";AAGA,OAAO,EAAE,UAAU,EAAyB,MAAM,iBAAiB,CAAA;
|
|
1
|
+
{"version":3,"file":"MatchEmailDomain.js","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchEmailDomain.ts"],"names":[],"mappings":";AAGA,OAAO,EAAE,UAAU,EAAE,wBAAwB,EAAyB,MAAM,iBAAiB,CAAA;AAC7F,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,8BAA8B,CAAA;AAe9D;;;;GAIG;IACU,0BAA0B;sBAAS,UAAU;;;;iBAA7C,0BAA2B,SAAQ,WAAU;;;mCAGvD,QAAQ,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;YAAC,0KAAS,OAAO,6BAAP,OAAO,yFAAU;;;QAFlC,IAAI,CAAoB;QAEhB,mFAA0B;QAA1B,IAAS,OAAO,6CAAU;QAA1B,IAAS,OAAO,mDAAU;QAEpD,YAAY,MAAyC,EAAE,QAAmD,EAAE;YAC1G,KAAK,CACH,MAAM,EACN;gBACE,IAAI,EAAE,wBAAwB,CAAC,SAAS;gBACxC,MAAM,EAAE,wBAAwB,CAAC,SAAS;gBAC1C,MAAM,EAAE,wBAAwB,CAAC,SAAS;gBAC1C,IAAI,EAAE,wBAAwB,CAAC,SAAS;gBACxC,MAAM,EAAE,wBAAwB,CAAC,SAAS;gBAC1C,MAAM,EAAE,wBAAwB,CAAC,SAAS;aAC3C,EACD,KAAK,CACN,CAAA;;YACD,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAA;YAC9B,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;SACvD;QAEQ,MAAM;YACb,OAAO;gBACL,GAAI,KAAK,CAAC,MAAM,EAAuC;gBACvD,OAAO,EAAE,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,CAAa;aAChE,CAAA;QACH,CAAC;;;SA3BU,0BAA0B","sourcesContent":["import type { Action } from '../actions/Action.js'\nimport type { ApiModel } from '../ApiModel.js'\nimport type { ExposedEntity } from '../ExposedEntity.js'\nimport { AccessRule, AccessRuleExecutionPhase, type AccessRuleSchema } from './AccessRule.js'\nimport { observed, toRaw } from '../../decorators/observed.js'\n\n/**\n * The action is allowed if the authenticated user's email domain matches a specific domain.\n * This is used to restrict access based on the user's email address.\n * For example, only users with an email address from \"my-company.com\" can access certain resources.\n */\nexport interface MatchEmailDomainAccessRuleSchema extends AccessRuleSchema {\n type: 'matchEmailDomain'\n /**\n * The email domains that the authenticated user's email must match.\n */\n domains: string[]\n}\n\n/**\n * The action is allowed if the authenticated user's email domain matches a specific domain.\n * This is used to restrict access based on the user's email address.\n * For example, only users with an email address from \"my-company.com\" can access certain resources.\n */\nexport class MatchEmailDomainAccessRule extends AccessRule implements MatchEmailDomainAccessRuleSchema {\n override readonly type: 'matchEmailDomain'\n\n @observed({ deep: true }) accessor domains: string[]\n\n constructor(parent: ExposedEntity | ApiModel | Action, state: Partial<MatchEmailDomainAccessRuleSchema> = {}) {\n super(\n parent,\n {\n list: AccessRuleExecutionPhase.PRE_FETCH,\n create: AccessRuleExecutionPhase.PRE_FETCH,\n search: AccessRuleExecutionPhase.PRE_FETCH,\n read: AccessRuleExecutionPhase.PRE_FETCH,\n update: AccessRuleExecutionPhase.PRE_FETCH,\n delete: AccessRuleExecutionPhase.PRE_FETCH,\n },\n state\n )\n this.type = 'matchEmailDomain'\n this.domains = state.domains ? [...state.domains] : []\n }\n\n override toJSON(): MatchEmailDomainAccessRuleSchema {\n return {\n ...(super.toJSON() as MatchEmailDomainAccessRuleSchema),\n domains: structuredClone(toRaw(this, this.domains)) as string[],\n }\n }\n}\n"]}
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
import type { Action } from '../actions/Action.js';
|
|
2
|
+
import type { ApiModel } from '../ApiModel.js';
|
|
3
|
+
import type { ExposedEntity } from '../ExposedEntity.js';
|
|
4
|
+
import { AccessRule, type AccessRuleSchema } from './AccessRule.js';
|
|
5
|
+
export type MatchResourceAttributeOperator = 'equal' | 'notEqual' | 'startsWith' | 'endsWith' | 'contains' | 'greaterThan' | 'lessThan' | 'greaterThanOrEqual' | 'lessThanOrEqual';
|
|
6
|
+
/**
|
|
7
|
+
* Grants access based on a static value within the resource itself.
|
|
8
|
+
* Example: Allow Read behavior if status == 'published'.
|
|
9
|
+
*/
|
|
10
|
+
export interface MatchResourceAttributeAccessRuleSchema extends AccessRuleSchema {
|
|
11
|
+
type: 'matchResourceAttribute';
|
|
12
|
+
/**
|
|
13
|
+
* The name of the attribute on the resource to check.
|
|
14
|
+
*/
|
|
15
|
+
attribute: string;
|
|
16
|
+
/**
|
|
17
|
+
* The static value to match against the resource's attribute.
|
|
18
|
+
*/
|
|
19
|
+
value: string | number | boolean;
|
|
20
|
+
/**
|
|
21
|
+
* The operator to use when comparing the resource's attribute to the given value.
|
|
22
|
+
* Defaults to 'equal'.
|
|
23
|
+
*/
|
|
24
|
+
operator?: MatchResourceAttributeOperator;
|
|
25
|
+
}
|
|
26
|
+
/**
|
|
27
|
+
* Grants access based on a static value within the resource itself.
|
|
28
|
+
* Example: Allow Read behavior if status == 'published'.
|
|
29
|
+
*/
|
|
30
|
+
export declare class MatchResourceAttributeAccessRule extends AccessRule implements MatchResourceAttributeAccessRuleSchema {
|
|
31
|
+
readonly type: 'matchResourceAttribute';
|
|
32
|
+
accessor attribute: string;
|
|
33
|
+
accessor value: string | number | boolean;
|
|
34
|
+
accessor operator: MatchResourceAttributeOperator;
|
|
35
|
+
constructor(parent: ExposedEntity | ApiModel | Action, state?: Partial<MatchResourceAttributeAccessRuleSchema>);
|
|
36
|
+
toJSON(): MatchResourceAttributeAccessRuleSchema;
|
|
37
|
+
}
|
|
38
|
+
//# sourceMappingURL=MatchResourceAttribute.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"MatchResourceAttribute.d.ts","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchResourceAttribute.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACxD,OAAO,EAAE,UAAU,EAA4B,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAA;AAG7F,MAAM,MAAM,8BAA8B,GACtC,OAAO,GACP,UAAU,GACV,YAAY,GACZ,UAAU,GACV,UAAU,GACV,aAAa,GACb,UAAU,GACV,oBAAoB,GACpB,iBAAiB,CAAA;AAErB;;;GAGG;AACH,MAAM,WAAW,sCAAuC,SAAQ,gBAAgB;IAC9E,IAAI,EAAE,wBAAwB,CAAA;IAE9B;;OAEG;IACH,SAAS,EAAE,MAAM,CAAA;IAEjB;;OAEG;IACH,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAA;IAEhC;;;OAGG;IACH,QAAQ,CAAC,EAAE,8BAA8B,CAAA;CAC1C;AAED;;;GAGG;AACH,qBAAa,gCAAiC,SAAQ,UAAW,YAAW,sCAAsC;IAChH,SAAkB,IAAI,EAAE,wBAAwB,CAAA;IAEpC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAA;IACzC,QAAQ,CAAC,QAAQ,EAAE,8BAA8B,CAAA;gBAEjD,MAAM,EAAE,aAAa,GAAG,QAAQ,GAAG,MAAM,EAAE,KAAK,GAAE,OAAO,CAAC,sCAAsC,CAAM;IAkBzG,MAAM,IAAI,sCAAsC;CAW1D"}
|
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
import { __esDecorate, __runInitializers } from "tslib";
|
|
2
|
+
import { AccessRule, AccessRuleExecutionPhase } from './AccessRule.js';
|
|
3
|
+
import { observed } from '../../decorators/observed.js';
|
|
4
|
+
/**
|
|
5
|
+
* Grants access based on a static value within the resource itself.
|
|
6
|
+
* Example: Allow Read behavior if status == 'published'.
|
|
7
|
+
*/
|
|
8
|
+
let MatchResourceAttributeAccessRule = (() => {
|
|
9
|
+
let _classSuper = AccessRule;
|
|
10
|
+
let _attribute_decorators;
|
|
11
|
+
let _attribute_initializers = [];
|
|
12
|
+
let _attribute_extraInitializers = [];
|
|
13
|
+
let _value_decorators;
|
|
14
|
+
let _value_initializers = [];
|
|
15
|
+
let _value_extraInitializers = [];
|
|
16
|
+
let _operator_decorators;
|
|
17
|
+
let _operator_initializers = [];
|
|
18
|
+
let _operator_extraInitializers = [];
|
|
19
|
+
return class MatchResourceAttributeAccessRule extends _classSuper {
|
|
20
|
+
static {
|
|
21
|
+
const _metadata = typeof Symbol === "function" && Symbol.metadata ? Object.create(_classSuper[Symbol.metadata] ?? null) : void 0;
|
|
22
|
+
_attribute_decorators = [observed()];
|
|
23
|
+
_value_decorators = [observed()];
|
|
24
|
+
_operator_decorators = [observed()];
|
|
25
|
+
__esDecorate(this, null, _attribute_decorators, { kind: "accessor", name: "attribute", static: false, private: false, access: { has: obj => "attribute" in obj, get: obj => obj.attribute, set: (obj, value) => { obj.attribute = value; } }, metadata: _metadata }, _attribute_initializers, _attribute_extraInitializers);
|
|
26
|
+
__esDecorate(this, null, _value_decorators, { kind: "accessor", name: "value", static: false, private: false, access: { has: obj => "value" in obj, get: obj => obj.value, set: (obj, value) => { obj.value = value; } }, metadata: _metadata }, _value_initializers, _value_extraInitializers);
|
|
27
|
+
__esDecorate(this, null, _operator_decorators, { kind: "accessor", name: "operator", static: false, private: false, access: { has: obj => "operator" in obj, get: obj => obj.operator, set: (obj, value) => { obj.operator = value; } }, metadata: _metadata }, _operator_initializers, _operator_extraInitializers);
|
|
28
|
+
if (_metadata) Object.defineProperty(this, Symbol.metadata, { enumerable: true, configurable: true, writable: true, value: _metadata });
|
|
29
|
+
}
|
|
30
|
+
type;
|
|
31
|
+
#attribute_accessor_storage = __runInitializers(this, _attribute_initializers, void 0);
|
|
32
|
+
get attribute() { return this.#attribute_accessor_storage; }
|
|
33
|
+
set attribute(value) { this.#attribute_accessor_storage = value; }
|
|
34
|
+
#value_accessor_storage = (__runInitializers(this, _attribute_extraInitializers), __runInitializers(this, _value_initializers, void 0));
|
|
35
|
+
get value() { return this.#value_accessor_storage; }
|
|
36
|
+
set value(value) { this.#value_accessor_storage = value; }
|
|
37
|
+
#operator_accessor_storage = (__runInitializers(this, _value_extraInitializers), __runInitializers(this, _operator_initializers, void 0));
|
|
38
|
+
get operator() { return this.#operator_accessor_storage; }
|
|
39
|
+
set operator(value) { this.#operator_accessor_storage = value; }
|
|
40
|
+
constructor(parent, state = {}) {
|
|
41
|
+
super(parent, {
|
|
42
|
+
list: AccessRuleExecutionPhase.FETCH,
|
|
43
|
+
search: AccessRuleExecutionPhase.FETCH,
|
|
44
|
+
read: AccessRuleExecutionPhase.POST_FETCH,
|
|
45
|
+
update: AccessRuleExecutionPhase.POST_FETCH,
|
|
46
|
+
delete: AccessRuleExecutionPhase.POST_FETCH,
|
|
47
|
+
}, state);
|
|
48
|
+
__runInitializers(this, _operator_extraInitializers);
|
|
49
|
+
this.type = 'matchResourceAttribute';
|
|
50
|
+
this.attribute = state.attribute ?? '';
|
|
51
|
+
this.value = state.value ?? '';
|
|
52
|
+
this.operator = state.operator ?? 'equal';
|
|
53
|
+
}
|
|
54
|
+
toJSON() {
|
|
55
|
+
const json = {
|
|
56
|
+
...super.toJSON(),
|
|
57
|
+
attribute: this.attribute,
|
|
58
|
+
value: this.value,
|
|
59
|
+
};
|
|
60
|
+
if (this.operator) {
|
|
61
|
+
json.operator = this.operator;
|
|
62
|
+
}
|
|
63
|
+
return json;
|
|
64
|
+
}
|
|
65
|
+
};
|
|
66
|
+
})();
|
|
67
|
+
export { MatchResourceAttributeAccessRule };
|
|
68
|
+
//# sourceMappingURL=MatchResourceAttribute.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"MatchResourceAttribute.js","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchResourceAttribute.ts"],"names":[],"mappings":";AAGA,OAAO,EAAE,UAAU,EAAE,wBAAwB,EAAyB,MAAM,iBAAiB,CAAA;AAC7F,OAAO,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAA;AAqCvD;;;GAGG;IACU,gCAAgC;sBAAS,UAAU;;;;;;;;;;iBAAnD,gCAAiC,SAAQ,WAAU;;;qCAG7D,QAAQ,EAAE;iCACV,QAAQ,EAAE;oCACV,QAAQ,EAAE;YAFC,gLAAS,SAAS,6BAAT,SAAS,6FAAQ;YAC1B,oKAAS,KAAK,6BAAL,KAAK,qFAA2B;YACzC,6KAAS,QAAQ,6BAAR,QAAQ,2FAAgC;;;QAJ3C,IAAI,CAA0B;QAEpC,uFAA0B;QAA1B,IAAS,SAAS,+CAAQ;QAA1B,IAAS,SAAS,qDAAQ;QAC1B,wIAAyC;QAAzC,IAAS,KAAK,2CAA2B;QAAzC,IAAS,KAAK,iDAA2B;QACzC,0IAAiD;QAAjD,IAAS,QAAQ,8CAAgC;QAAjD,IAAS,QAAQ,oDAAgC;QAE7D,YAAY,MAAyC,EAAE,QAAyD,EAAE;YAChH,KAAK,CACH,MAAM,EACN;gBACE,IAAI,EAAE,wBAAwB,CAAC,KAAK;gBACpC,MAAM,EAAE,wBAAwB,CAAC,KAAK;gBACtC,IAAI,EAAE,wBAAwB,CAAC,UAAU;gBACzC,MAAM,EAAE,wBAAwB,CAAC,UAAU;gBAC3C,MAAM,EAAE,wBAAwB,CAAC,UAAU;aAC5C,EACD,KAAK,CACN,CAAA;;YACD,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAA;YACpC,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,IAAI,EAAE,CAAA;YACtC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,IAAI,EAAE,CAAA;YAC9B,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,OAAO,CAAA;SAC1C;QAEQ,MAAM;YACb,MAAM,IAAI,GAA2C;gBACnD,GAAI,KAAK,CAAC,MAAM,EAA6C;gBAC7D,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,KAAK,EAAE,IAAI,CAAC,KAAK;aAClB,CAAA;YACD,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAClB,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAA;YAC/B,CAAC;YACD,OAAO,IAAI,CAAA;QACb,CAAC;;;SAnCU,gCAAgC","sourcesContent":["import type { Action } from '../actions/Action.js'\nimport type { ApiModel } from '../ApiModel.js'\nimport type { ExposedEntity } from '../ExposedEntity.js'\nimport { AccessRule, AccessRuleExecutionPhase, type AccessRuleSchema } from './AccessRule.js'\nimport { observed } from '../../decorators/observed.js'\n\nexport type MatchResourceAttributeOperator =\n | 'equal'\n | 'notEqual'\n | 'startsWith'\n | 'endsWith'\n | 'contains'\n | 'greaterThan'\n | 'lessThan'\n | 'greaterThanOrEqual'\n | 'lessThanOrEqual'\n\n/**\n * Grants access based on a static value within the resource itself.\n * Example: Allow Read behavior if status == 'published'.\n */\nexport interface MatchResourceAttributeAccessRuleSchema extends AccessRuleSchema {\n type: 'matchResourceAttribute'\n\n /**\n * The name of the attribute on the resource to check.\n */\n attribute: string\n\n /**\n * The static value to match against the resource's attribute.\n */\n value: string | number | boolean\n\n /**\n * The operator to use when comparing the resource's attribute to the given value.\n * Defaults to 'equal'.\n */\n operator?: MatchResourceAttributeOperator\n}\n\n/**\n * Grants access based on a static value within the resource itself.\n * Example: Allow Read behavior if status == 'published'.\n */\nexport class MatchResourceAttributeAccessRule extends AccessRule implements MatchResourceAttributeAccessRuleSchema {\n override readonly type: 'matchResourceAttribute'\n\n @observed() accessor attribute: string\n @observed() accessor value: string | number | boolean\n @observed() accessor operator: MatchResourceAttributeOperator\n\n constructor(parent: ExposedEntity | ApiModel | Action, state: Partial<MatchResourceAttributeAccessRuleSchema> = {}) {\n super(\n parent,\n {\n list: AccessRuleExecutionPhase.FETCH,\n search: AccessRuleExecutionPhase.FETCH,\n read: AccessRuleExecutionPhase.POST_FETCH,\n update: AccessRuleExecutionPhase.POST_FETCH,\n delete: AccessRuleExecutionPhase.POST_FETCH,\n },\n state\n )\n this.type = 'matchResourceAttribute'\n this.attribute = state.attribute ?? ''\n this.value = state.value ?? ''\n this.operator = state.operator ?? 'equal'\n }\n\n override toJSON(): MatchResourceAttributeAccessRuleSchema {\n const json: MatchResourceAttributeAccessRuleSchema = {\n ...(super.toJSON() as MatchResourceAttributeAccessRuleSchema),\n attribute: this.attribute,\n value: this.value,\n }\n if (this.operator) {\n json.operator = this.operator\n }\n return json\n }\n}\n"]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"MatchResourceOwner.d.ts","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchResourceOwner.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACxD,OAAO,EAAE,UAAU,
|
|
1
|
+
{"version":3,"file":"MatchResourceOwner.d.ts","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchResourceOwner.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACxD,OAAO,EAAE,UAAU,EAA4B,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAA;AAG7F;;;;GAIG;AACH,MAAM,WAAW,kCAAmC,SAAQ,gBAAgB;IAC1E,IAAI,EAAE,oBAAoB,CAAA;IAC1B;;;;;;;;OAQG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IAEjB;;;;OAIG;IACH,MAAM,CAAC,EAAE,UAAU,GAAG,aAAa,CAAA;CACpC;AAED;;;;GAIG;AACH,qBAAa,4BAA6B,SAAQ,UAAW,YAAW,kCAAkC;IACxG,SAAkB,IAAI,EAAE,oBAAoB,CAAA;IAEhC,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;IACrC,QAAQ,CAAC,MAAM,EAAE,UAAU,GAAG,aAAa,CAAA;gBAE3C,MAAM,EAAE,aAAa,GAAG,QAAQ,GAAG,MAAM,EAAE,KAAK,GAAE,OAAO,CAAC,kCAAkC,CAAM;IAiBrG,MAAM,IAAI,kCAAkC;CAUtD"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { __esDecorate, __runInitializers } from "tslib";
|
|
2
|
-
import { AccessRule } from './AccessRule.js';
|
|
2
|
+
import { AccessRule, AccessRuleExecutionPhase } from './AccessRule.js';
|
|
3
3
|
import { observed } from '../../decorators/observed.js';
|
|
4
4
|
/**
|
|
5
5
|
* The action is allowed if the authenticated user's ID matches a specific property on the resource.
|
|
@@ -31,7 +31,13 @@ let MatchResourceOwnerAccessRule = (() => {
|
|
|
31
31
|
get target() { return this.#target_accessor_storage; }
|
|
32
32
|
set target(value) { this.#target_accessor_storage = value; }
|
|
33
33
|
constructor(parent, state = {}) {
|
|
34
|
-
super(parent,
|
|
34
|
+
super(parent, {
|
|
35
|
+
list: AccessRuleExecutionPhase.FETCH,
|
|
36
|
+
search: AccessRuleExecutionPhase.FETCH,
|
|
37
|
+
read: AccessRuleExecutionPhase.POST_FETCH,
|
|
38
|
+
update: AccessRuleExecutionPhase.POST_FETCH,
|
|
39
|
+
delete: AccessRuleExecutionPhase.POST_FETCH,
|
|
40
|
+
}, state);
|
|
35
41
|
__runInitializers(this, _target_extraInitializers);
|
|
36
42
|
this.type = 'matchResourceOwner';
|
|
37
43
|
this.property = state.property;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"MatchResourceOwner.js","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchResourceOwner.ts"],"names":[],"mappings":";AAGA,OAAO,EAAE,UAAU,EAAyB,MAAM,iBAAiB,CAAA;
|
|
1
|
+
{"version":3,"file":"MatchResourceOwner.js","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchResourceOwner.ts"],"names":[],"mappings":";AAGA,OAAO,EAAE,UAAU,EAAE,wBAAwB,EAAyB,MAAM,iBAAiB,CAAA;AAC7F,OAAO,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAA;AA4BvD;;;;GAIG;IACU,4BAA4B;sBAAS,UAAU;;;;;;;iBAA/C,4BAA6B,SAAQ,WAAU;;;oCAGzD,QAAQ,EAAE;kCACV,QAAQ,EAAE;YADC,6KAAS,QAAQ,6BAAR,QAAQ,2FAAoB;YACrC,uKAAS,MAAM,6BAAN,MAAM,uFAA4B;;;QAHrC,IAAI,CAAsB;QAEhC,qFAAqC;QAArC,IAAS,QAAQ,8CAAoB;QAArC,IAAS,QAAQ,oDAAoB;QACrC,yIAA2C;QAA3C,IAAS,MAAM,4CAA4B;QAA3C,IAAS,MAAM,kDAA4B;QAEvD,YAAY,MAAyC,EAAE,QAAqD,EAAE;YAC5G,KAAK,CACH,MAAM,EACN;gBACE,IAAI,EAAE,wBAAwB,CAAC,KAAK;gBACpC,MAAM,EAAE,wBAAwB,CAAC,KAAK;gBACtC,IAAI,EAAE,wBAAwB,CAAC,UAAU;gBACzC,MAAM,EAAE,wBAAwB,CAAC,UAAU;gBAC3C,MAAM,EAAE,wBAAwB,CAAC,UAAU;aAC5C,EACD,KAAK,CACN,CAAA;;YACD,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAA;YAChC,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAA;YAC9B,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,IAAI,UAAU,CAAA;SACzC;QAEQ,MAAM;YACb,MAAM,IAAI,GAAuC;gBAC/C,GAAI,KAAK,CAAC,MAAM,EAAyC;gBACzD,MAAM,EAAE,IAAI,CAAC,MAAM;aACpB,CAAA;YACD,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAClB,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAA;YAC/B,CAAC;YACD,OAAO,IAAI,CAAA;QACb,CAAC;;;SAhCU,4BAA4B","sourcesContent":["import type { Action } from '../actions/Action.js'\nimport type { ApiModel } from '../ApiModel.js'\nimport type { ExposedEntity } from '../ExposedEntity.js'\nimport { AccessRule, AccessRuleExecutionPhase, type AccessRuleSchema } from './AccessRule.js'\nimport { observed } from '../../decorators/observed.js'\n\n/**\n * The action is allowed if the authenticated user's ID matches a specific property on the resource.\n * This is typically used to restrict access to resources owned by the user.\n * For example, a user can only access their own profile or documents.\n */\nexport interface MatchResourceOwnerAccessRuleSchema extends AccessRuleSchema {\n type: 'matchResourceOwner'\n /**\n * The property on the resource that references the user's ID (the key in the semantically annotated `User` entity).\n *\n * When the current exposed entity has a property annotated with the \"ResourceOwnerIdentifier\" semantic,\n * this property should be used. It directly references the user's key.\n *\n * The domain model should annotate this property with the \"ResourceOwnerIdentifier\" semantic\n * to indicate that it is used for ownership checks.\n */\n property?: string\n\n /**\n * The target for the ownership check.\n * - `property`: The check is performed against a specific property on the resource (default).\n * - `user-entity`: The check is performed against the entity itself (used when the entity represents the user).\n */\n target?: 'property' | 'user-entity'\n}\n\n/**\n * The action is allowed if the authenticated user's ID matches a specific property on the resource.\n * This is typically used to restrict access to resources owned by the user.\n * For example, a user can only access their own profile or documents.\n */\nexport class MatchResourceOwnerAccessRule extends AccessRule implements MatchResourceOwnerAccessRuleSchema {\n override readonly type: 'matchResourceOwner'\n\n @observed() accessor property: string | undefined\n @observed() accessor target: 'property' | 'user-entity'\n\n constructor(parent: ExposedEntity | ApiModel | Action, state: Partial<MatchResourceOwnerAccessRuleSchema> = {}) {\n super(\n parent,\n {\n list: AccessRuleExecutionPhase.FETCH,\n search: AccessRuleExecutionPhase.FETCH,\n read: AccessRuleExecutionPhase.POST_FETCH,\n update: AccessRuleExecutionPhase.POST_FETCH,\n delete: AccessRuleExecutionPhase.POST_FETCH,\n },\n state\n )\n this.type = 'matchResourceOwner'\n this.property = state.property\n this.target = state.target ?? 'property'\n }\n\n override toJSON(): MatchResourceOwnerAccessRuleSchema {\n const json: MatchResourceOwnerAccessRuleSchema = {\n ...(super.toJSON() as MatchResourceOwnerAccessRuleSchema),\n target: this.target,\n }\n if (this.property) {\n json.property = this.property\n }\n return json\n }\n}\n"]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"MatchUserProperty.d.ts","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchUserProperty.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACxD,OAAO,EAAE,UAAU,
|
|
1
|
+
{"version":3,"file":"MatchUserProperty.d.ts","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchUserProperty.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACxD,OAAO,EAAE,UAAU,EAA4B,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAA;AAG7F;;;GAGG;AACH,MAAM,WAAW,iCAAkC,SAAQ,gBAAgB;IACzE,IAAI,EAAE,mBAAmB,CAAA;IACzB;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAChB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAA;CACd;AAED;;;GAGG;AACH,qBAAa,2BAA4B,SAAQ,UAAW,YAAW,iCAAiC;IACtG,SAAkB,IAAI,EAAE,mBAAmB,CAAA;IAE/B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;gBAEtB,MAAM,EAAE,aAAa,GAAG,QAAQ,GAAG,MAAM,EAAE,KAAK,GAAE,OAAO,CAAC,iCAAiC,CAAM;IAkBpG,MAAM,IAAI,iCAAiC;CAOrD"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { __esDecorate, __runInitializers } from "tslib";
|
|
2
|
-
import { AccessRule } from './AccessRule.js';
|
|
2
|
+
import { AccessRule, AccessRuleExecutionPhase } from './AccessRule.js';
|
|
3
3
|
import { observed } from '../../decorators/observed.js';
|
|
4
4
|
/**
|
|
5
5
|
* The action is allowed if a specific property on the authenticated user matches an expected value.
|
|
@@ -30,7 +30,14 @@ let MatchUserPropertyAccessRule = (() => {
|
|
|
30
30
|
get value() { return this.#value_accessor_storage; }
|
|
31
31
|
set value(value) { this.#value_accessor_storage = value; }
|
|
32
32
|
constructor(parent, state = {}) {
|
|
33
|
-
super(parent,
|
|
33
|
+
super(parent, {
|
|
34
|
+
list: AccessRuleExecutionPhase.PRE_FETCH,
|
|
35
|
+
create: AccessRuleExecutionPhase.PRE_FETCH,
|
|
36
|
+
search: AccessRuleExecutionPhase.PRE_FETCH,
|
|
37
|
+
read: AccessRuleExecutionPhase.PRE_FETCH,
|
|
38
|
+
update: AccessRuleExecutionPhase.PRE_FETCH,
|
|
39
|
+
delete: AccessRuleExecutionPhase.PRE_FETCH,
|
|
40
|
+
}, state);
|
|
34
41
|
__runInitializers(this, _value_extraInitializers);
|
|
35
42
|
this.type = 'matchUserProperty';
|
|
36
43
|
this.property = state.property ?? '';
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"MatchUserProperty.js","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchUserProperty.ts"],"names":[],"mappings":";AAGA,OAAO,EAAE,UAAU,EAAyB,MAAM,iBAAiB,CAAA;
|
|
1
|
+
{"version":3,"file":"MatchUserProperty.js","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchUserProperty.ts"],"names":[],"mappings":";AAGA,OAAO,EAAE,UAAU,EAAE,wBAAwB,EAAyB,MAAM,iBAAiB,CAAA;AAC7F,OAAO,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAA;AAkBvD;;;GAGG;IACU,2BAA2B;sBAAS,UAAU;;;;;;;iBAA9C,2BAA4B,SAAQ,WAAU;;;oCAGxD,QAAQ,EAAE;iCACV,QAAQ,EAAE;YADC,6KAAS,QAAQ,6BAAR,QAAQ,2FAAQ;YACzB,oKAAS,KAAK,6BAAL,KAAK,qFAAQ;;;QAHhB,IAAI,CAAqB;QAE/B,qFAAyB;QAAzB,IAAS,QAAQ,8CAAQ;QAAzB,IAAS,QAAQ,oDAAQ;QACzB,uIAAsB;QAAtB,IAAS,KAAK,2CAAQ;QAAtB,IAAS,KAAK,iDAAQ;QAElC,YAAY,MAAyC,EAAE,QAAoD,EAAE;YAC3G,KAAK,CACH,MAAM,EACN;gBACE,IAAI,EAAE,wBAAwB,CAAC,SAAS;gBACxC,MAAM,EAAE,wBAAwB,CAAC,SAAS;gBAC1C,MAAM,EAAE,wBAAwB,CAAC,SAAS;gBAC1C,IAAI,EAAE,wBAAwB,CAAC,SAAS;gBACxC,MAAM,EAAE,wBAAwB,CAAC,SAAS;gBAC1C,MAAM,EAAE,wBAAwB,CAAC,SAAS;aAC3C,EACD,KAAK,CACN,CAAA;;YACD,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAA;YAC/B,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,EAAE,CAAA;YACpC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,IAAI,EAAE,CAAA;SAC/B;QAEQ,MAAM;YACb,OAAO;gBACL,GAAI,KAAK,CAAC,MAAM,EAAwC;gBACxD,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,KAAK,EAAE,IAAI,CAAC,KAAK;aAClB,CAAA;QACH,CAAC;;;SA9BU,2BAA2B","sourcesContent":["import type { Action } from '../actions/Action.js'\nimport type { ApiModel } from '../ApiModel.js'\nimport type { ExposedEntity } from '../ExposedEntity.js'\nimport { AccessRule, AccessRuleExecutionPhase, type AccessRuleSchema } from './AccessRule.js'\nimport { observed } from '../../decorators/observed.js'\n\n/**\n * The action is allowed if a specific property on the authenticated user matches an expected value.\n * This is used to enforce other user-specific restrictions.\n */\nexport interface MatchUserPropertyAccessRuleSchema extends AccessRuleSchema {\n type: 'matchUserProperty'\n /**\n * The property on the authenticated user that should match the expected value.\n */\n property: string\n /**\n * The expected value for the user property.\n */\n value: string\n}\n\n/**\n * The action is allowed if a specific property on the authenticated user matches an expected value.\n * This is used to enforce other user-specific restrictions.\n */\nexport class MatchUserPropertyAccessRule extends AccessRule implements MatchUserPropertyAccessRuleSchema {\n override readonly type: 'matchUserProperty'\n\n @observed() accessor property: string\n @observed() accessor value: string\n\n constructor(parent: ExposedEntity | ApiModel | Action, state: Partial<MatchUserPropertyAccessRuleSchema> = {}) {\n super(\n parent,\n {\n list: AccessRuleExecutionPhase.PRE_FETCH,\n create: AccessRuleExecutionPhase.PRE_FETCH,\n search: AccessRuleExecutionPhase.PRE_FETCH,\n read: AccessRuleExecutionPhase.PRE_FETCH,\n update: AccessRuleExecutionPhase.PRE_FETCH,\n delete: AccessRuleExecutionPhase.PRE_FETCH,\n },\n state\n )\n this.type = 'matchUserProperty'\n this.property = state.property ?? ''\n this.value = state.value ?? ''\n }\n\n override toJSON(): MatchUserPropertyAccessRuleSchema {\n return {\n ...(super.toJSON() as MatchUserPropertyAccessRuleSchema),\n property: this.property,\n value: this.value,\n }\n }\n}\n"]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"MatchUserRole.d.ts","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchUserRole.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACxD,OAAO,EAAE,UAAU,
|
|
1
|
+
{"version":3,"file":"MatchUserRole.d.ts","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchUserRole.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACxD,OAAO,EAAE,UAAU,EAA4B,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAA;AAG7F;;;;GAIG;AACH,MAAM,WAAW,6BAA8B,SAAQ,gBAAgB;IACrE,IAAI,EAAE,eAAe,CAAA;IACrB;;;;;;OAMG;IACH,IAAI,EAAE,MAAM,EAAE,CAAA;CACf;AAED;;;;GAIG;AACH,qBAAa,uBAAwB,SAAQ,UAAW,YAAW,6BAA6B;IAC9F,SAAkB,IAAI,EAAE,eAAe,CAAA;IAEb,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,CAAA;gBAErC,MAAM,EAAE,aAAa,GAAG,QAAQ,GAAG,MAAM,EAAE,KAAK,GAAE,OAAO,CAAC,6BAA6B,CAAM;IAiBhG,MAAM,IAAI,6BAA6B;CAMjD"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { __esDecorate, __runInitializers } from "tslib";
|
|
2
|
-
import { AccessRule } from './AccessRule.js';
|
|
2
|
+
import { AccessRule, AccessRuleExecutionPhase } from './AccessRule.js';
|
|
3
3
|
import { observed, toRaw } from '../../decorators/observed.js';
|
|
4
4
|
/**
|
|
5
5
|
* The action is allowed if the authenticated user has a specific role.
|
|
@@ -23,7 +23,14 @@ let MatchUserRoleAccessRule = (() => {
|
|
|
23
23
|
get role() { return this.#role_accessor_storage; }
|
|
24
24
|
set role(value) { this.#role_accessor_storage = value; }
|
|
25
25
|
constructor(parent, state = {}) {
|
|
26
|
-
super(parent,
|
|
26
|
+
super(parent, {
|
|
27
|
+
list: AccessRuleExecutionPhase.PRE_FETCH,
|
|
28
|
+
create: AccessRuleExecutionPhase.PRE_FETCH,
|
|
29
|
+
search: AccessRuleExecutionPhase.PRE_FETCH,
|
|
30
|
+
read: AccessRuleExecutionPhase.PRE_FETCH,
|
|
31
|
+
update: AccessRuleExecutionPhase.PRE_FETCH,
|
|
32
|
+
delete: AccessRuleExecutionPhase.PRE_FETCH,
|
|
33
|
+
}, state);
|
|
27
34
|
__runInitializers(this, _role_extraInitializers);
|
|
28
35
|
this.type = 'matchUserRole';
|
|
29
36
|
this.role = state.role ? [...state.role] : [];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"MatchUserRole.js","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchUserRole.ts"],"names":[],"mappings":";AAGA,OAAO,EAAE,UAAU,EAAyB,MAAM,iBAAiB,CAAA;
|
|
1
|
+
{"version":3,"file":"MatchUserRole.js","sourceRoot":"","sources":["../../../../src/modeling/rules/MatchUserRole.ts"],"names":[],"mappings":";AAGA,OAAO,EAAE,UAAU,EAAE,wBAAwB,EAAyB,MAAM,iBAAiB,CAAA;AAC7F,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,8BAA8B,CAAA;AAmB9D;;;;GAIG;IACU,uBAAuB;sBAAS,UAAU;;;;iBAA1C,uBAAwB,SAAQ,WAAU;;;gCAGpD,QAAQ,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;YAAC,iKAAS,IAAI,6BAAJ,IAAI,mFAAU;;;QAF/B,IAAI,CAAiB;QAEb,6EAAuB;QAAvB,IAAS,IAAI,0CAAU;QAAvB,IAAS,IAAI,gDAAU;QAEjD,YAAY,MAAyC,EAAE,QAAgD,EAAE;YACvG,KAAK,CACH,MAAM,EACN;gBACE,IAAI,EAAE,wBAAwB,CAAC,SAAS;gBACxC,MAAM,EAAE,wBAAwB,CAAC,SAAS;gBAC1C,MAAM,EAAE,wBAAwB,CAAC,SAAS;gBAC1C,IAAI,EAAE,wBAAwB,CAAC,SAAS;gBACxC,MAAM,EAAE,wBAAwB,CAAC,SAAS;gBAC1C,MAAM,EAAE,wBAAwB,CAAC,SAAS;aAC3C,EACD,KAAK,CACN,CAAA;;YACD,IAAI,CAAC,IAAI,GAAG,eAAe,CAAA;YAC3B,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;SAC9C;QAEQ,MAAM;YACb,OAAO;gBACL,GAAI,KAAK,CAAC,MAAM,EAAoC;gBACpD,IAAI,EAAE,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAa;aAC1D,CAAA;QACH,CAAC;;;SA3BU,uBAAuB","sourcesContent":["import type { Action } from '../actions/Action.js'\nimport type { ApiModel } from '../ApiModel.js'\nimport type { ExposedEntity } from '../ExposedEntity.js'\nimport { AccessRule, AccessRuleExecutionPhase, type AccessRuleSchema } from './AccessRule.js'\nimport { observed, toRaw } from '../../decorators/observed.js'\n\n/**\n * The action is allowed if the authenticated user has a specific role.\n * This is used to enforce role-based access control (RBAC).\n * For example, only users with the \"admin\" role can perform certain actions.\n */\nexport interface MatchUserRoleAccessRuleSchema extends AccessRuleSchema {\n type: 'matchUserRole'\n /**\n * The role that the authenticated user must have to access the resource.\n * This is typically a property on the user entity that defines their role.\n *\n * The domain model should annotate this property with the \"UserRole\" semantic\n * to indicate that it is used for role-based access control.\n */\n role: string[]\n}\n\n/**\n * The action is allowed if the authenticated user has a specific role.\n * This is used to enforce role-based access control (RBAC).\n * For example, only users with the \"admin\" role can perform certain actions.\n */\nexport class MatchUserRoleAccessRule extends AccessRule implements MatchUserRoleAccessRuleSchema {\n override readonly type: 'matchUserRole'\n\n @observed({ deep: true }) accessor role: string[]\n\n constructor(parent: ExposedEntity | ApiModel | Action, state: Partial<MatchUserRoleAccessRuleSchema> = {}) {\n super(\n parent,\n {\n list: AccessRuleExecutionPhase.PRE_FETCH,\n create: AccessRuleExecutionPhase.PRE_FETCH,\n search: AccessRuleExecutionPhase.PRE_FETCH,\n read: AccessRuleExecutionPhase.PRE_FETCH,\n update: AccessRuleExecutionPhase.PRE_FETCH,\n delete: AccessRuleExecutionPhase.PRE_FETCH,\n },\n state\n )\n this.type = 'matchUserRole'\n this.role = state.role ? [...state.role] : []\n }\n\n override toJSON(): MatchUserRoleAccessRuleSchema {\n return {\n ...(super.toJSON() as MatchUserRoleAccessRuleSchema),\n role: structuredClone(toRaw(this, this.role)) as string[],\n }\n }\n}\n"]}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
export { AccessRule, type AccessRuleSchema } from './AccessRule.js';
|
|
1
|
+
export { AccessRule, AccessRuleExecutionPhase, type AccessRuleSchema } from './AccessRule.js';
|
|
2
2
|
export { RateLimitingConfiguration, type RateLimitingConfigurationSchema } from './RateLimitingConfiguration.js';
|
|
3
3
|
import type { Action } from '../actions/Action.js';
|
|
4
4
|
import type { ApiModel } from '../ApiModel.js';
|
|
@@ -8,14 +8,16 @@ import { AllowAuthenticatedAccessRule, type AllowAuthenticatedAccessRuleSchema }
|
|
|
8
8
|
import { AllowPublicAccessRule, type AllowPublicAccessRuleSchema } from './AllowPublic.js';
|
|
9
9
|
import { MatchEmailDomainAccessRule, type MatchEmailDomainAccessRuleSchema } from './MatchEmailDomain.js';
|
|
10
10
|
import { MatchResourceOwnerAccessRule, type MatchResourceOwnerAccessRuleSchema } from './MatchResourceOwner.js';
|
|
11
|
+
import { MatchResourceAttributeAccessRule, type MatchResourceAttributeAccessRuleSchema, type MatchResourceAttributeOperator } from './MatchResourceAttribute.js';
|
|
12
|
+
import { LifecycleStatusAccessRule, type LifecycleStatusAccessRuleSchema } from './LifecycleStatus.js';
|
|
11
13
|
import { MatchUserPropertyAccessRule, type MatchUserPropertyAccessRuleSchema } from './MatchUserProperty.js';
|
|
12
14
|
import { MatchUserRoleAccessRule, type MatchUserRoleAccessRuleSchema } from './MatchUserRole.js';
|
|
13
15
|
import { RateLimitRule, type RateLimitRuleSchema } from './RateLimitRule.js';
|
|
14
|
-
export { AllowAuthenticatedAccessRule, AllowPublicAccessRule, MatchEmailDomainAccessRule, MatchResourceOwnerAccessRule, MatchUserPropertyAccessRule, MatchUserRoleAccessRule, RateLimitRule, };
|
|
15
|
-
export type { AllowAuthenticatedAccessRuleSchema, AllowPublicAccessRuleSchema, MatchEmailDomainAccessRuleSchema, MatchResourceOwnerAccessRuleSchema, MatchUserPropertyAccessRuleSchema, MatchUserRoleAccessRuleSchema, RateLimitRuleSchema, };
|
|
16
|
-
export type ApiAccessRule = AllowAuthenticatedAccessRule | AllowPublicAccessRule | MatchEmailDomainAccessRule | MatchResourceOwnerAccessRule | MatchUserPropertyAccessRule | MatchUserRoleAccessRule;
|
|
17
|
-
export type ApiAccessRuleSchema = AllowAuthenticatedAccessRuleSchema | AllowPublicAccessRuleSchema | MatchEmailDomainAccessRuleSchema | MatchResourceOwnerAccessRuleSchema | MatchUserPropertyAccessRuleSchema | MatchUserRoleAccessRuleSchema;
|
|
18
|
-
export type RuleType = 'allowAuthenticated' | 'allowPublic' | 'matchEmailDomain' | 'matchResourceOwner' | 'matchUserProperty' | 'matchUserRole';
|
|
16
|
+
export { AllowAuthenticatedAccessRule, AllowPublicAccessRule, MatchEmailDomainAccessRule, MatchResourceOwnerAccessRule, MatchResourceAttributeAccessRule, LifecycleStatusAccessRule, MatchUserPropertyAccessRule, MatchUserRoleAccessRule, RateLimitRule, };
|
|
17
|
+
export type { MatchResourceAttributeOperator, AllowAuthenticatedAccessRuleSchema, AllowPublicAccessRuleSchema, MatchEmailDomainAccessRuleSchema, MatchResourceOwnerAccessRuleSchema, MatchResourceAttributeAccessRuleSchema, LifecycleStatusAccessRuleSchema, MatchUserPropertyAccessRuleSchema, MatchUserRoleAccessRuleSchema, RateLimitRuleSchema, };
|
|
18
|
+
export type ApiAccessRule = AllowAuthenticatedAccessRule | AllowPublicAccessRule | MatchEmailDomainAccessRule | MatchResourceOwnerAccessRule | MatchResourceAttributeAccessRule | LifecycleStatusAccessRule | MatchUserPropertyAccessRule | MatchUserRoleAccessRule;
|
|
19
|
+
export type ApiAccessRuleSchema = AllowAuthenticatedAccessRuleSchema | AllowPublicAccessRuleSchema | MatchEmailDomainAccessRuleSchema | MatchResourceOwnerAccessRuleSchema | MatchResourceAttributeAccessRuleSchema | LifecycleStatusAccessRuleSchema | MatchUserPropertyAccessRuleSchema | MatchUserRoleAccessRuleSchema;
|
|
20
|
+
export type RuleType = 'allowAuthenticated' | 'allowPublic' | 'matchEmailDomain' | 'matchResourceOwner' | 'matchResourceAttribute' | 'lifecycleStatus' | 'matchUserProperty' | 'matchUserRole';
|
|
19
21
|
/**
|
|
20
22
|
* Restores an access rule from a schema.
|
|
21
23
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/modeling/rules/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAA;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/modeling/rules/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,wBAAwB,EAAE,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAA;AAC7F,OAAO,EAAE,yBAAyB,EAAE,KAAK,+BAA+B,EAAE,MAAM,gCAAgC,CAAA;AAEhH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACxD,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAA;AAClD,OAAO,EAAE,4BAA4B,EAAE,KAAK,kCAAkC,EAAE,MAAM,yBAAyB,CAAA;AAC/G,OAAO,EAAE,qBAAqB,EAAE,KAAK,2BAA2B,EAAE,MAAM,kBAAkB,CAAA;AAC1F,OAAO,EAAE,0BAA0B,EAAE,KAAK,gCAAgC,EAAE,MAAM,uBAAuB,CAAA;AACzG,OAAO,EAAE,4BAA4B,EAAE,KAAK,kCAAkC,EAAE,MAAM,yBAAyB,CAAA;AAC/G,OAAO,EACL,gCAAgC,EAChC,KAAK,sCAAsC,EAC3C,KAAK,8BAA8B,EACpC,MAAM,6BAA6B,CAAA;AACpC,OAAO,EAAE,yBAAyB,EAAE,KAAK,+BAA+B,EAAE,MAAM,sBAAsB,CAAA;AACtG,OAAO,EAAE,2BAA2B,EAAE,KAAK,iCAAiC,EAAE,MAAM,wBAAwB,CAAA;AAC5G,OAAO,EAAE,uBAAuB,EAAE,KAAK,6BAA6B,EAAE,MAAM,oBAAoB,CAAA;AAChG,OAAO,EAAE,aAAa,EAAE,KAAK,mBAAmB,EAAE,MAAM,oBAAoB,CAAA;AAE5E,OAAO,EACL,4BAA4B,EAC5B,qBAAqB,EACrB,0BAA0B,EAC1B,4BAA4B,EAC5B,gCAAgC,EAChC,yBAAyB,EACzB,2BAA2B,EAC3B,uBAAuB,EACvB,aAAa,GACd,CAAA;AACD,YAAY,EACV,8BAA8B,EAC9B,kCAAkC,EAClC,2BAA2B,EAC3B,gCAAgC,EAChC,kCAAkC,EAClC,sCAAsC,EACtC,+BAA+B,EAC/B,iCAAiC,EACjC,6BAA6B,EAC7B,mBAAmB,GACpB,CAAA;AAED,MAAM,MAAM,aAAa,GACrB,4BAA4B,GAC5B,qBAAqB,GACrB,0BAA0B,GAC1B,4BAA4B,GAC5B,gCAAgC,GAChC,yBAAyB,GACzB,2BAA2B,GAC3B,uBAAuB,CAAA;AAC3B,MAAM,MAAM,mBAAmB,GAC3B,kCAAkC,GAClC,2BAA2B,GAC3B,gCAAgC,GAChC,kCAAkC,GAClC,sCAAsC,GACtC,+BAA+B,GAC/B,iCAAiC,GACjC,6BAA6B,CAAA;AAEjC,MAAM,MAAM,QAAQ,GAChB,oBAAoB,GACpB,aAAa,GACb,kBAAkB,GAClB,oBAAoB,GACpB,wBAAwB,GACxB,iBAAiB,GACjB,mBAAmB,GACnB,eAAe,CAAA;AAEnB;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,aAAa,GAAG,QAAQ,GAAG,MAAM,EAAE,MAAM,EAAE,gBAAgB,GAAG,aAAa,CAwBpH"}
|
|
@@ -1,14 +1,16 @@
|
|
|
1
|
-
export { AccessRule } from './AccessRule.js';
|
|
1
|
+
export { AccessRule, AccessRuleExecutionPhase } from './AccessRule.js';
|
|
2
2
|
export { RateLimitingConfiguration } from './RateLimitingConfiguration.js';
|
|
3
3
|
import { Exception } from '../../exceptions/exception.js';
|
|
4
4
|
import { AllowAuthenticatedAccessRule } from './AllowAuthenticated.js';
|
|
5
5
|
import { AllowPublicAccessRule } from './AllowPublic.js';
|
|
6
6
|
import { MatchEmailDomainAccessRule } from './MatchEmailDomain.js';
|
|
7
7
|
import { MatchResourceOwnerAccessRule } from './MatchResourceOwner.js';
|
|
8
|
+
import { MatchResourceAttributeAccessRule, } from './MatchResourceAttribute.js';
|
|
9
|
+
import { LifecycleStatusAccessRule } from './LifecycleStatus.js';
|
|
8
10
|
import { MatchUserPropertyAccessRule } from './MatchUserProperty.js';
|
|
9
11
|
import { MatchUserRoleAccessRule } from './MatchUserRole.js';
|
|
10
12
|
import { RateLimitRule } from './RateLimitRule.js';
|
|
11
|
-
export { AllowAuthenticatedAccessRule, AllowPublicAccessRule, MatchEmailDomainAccessRule, MatchResourceOwnerAccessRule, MatchUserPropertyAccessRule, MatchUserRoleAccessRule, RateLimitRule, };
|
|
13
|
+
export { AllowAuthenticatedAccessRule, AllowPublicAccessRule, MatchEmailDomainAccessRule, MatchResourceOwnerAccessRule, MatchResourceAttributeAccessRule, LifecycleStatusAccessRule, MatchUserPropertyAccessRule, MatchUserRoleAccessRule, RateLimitRule, };
|
|
12
14
|
/**
|
|
13
15
|
* Restores an access rule from a schema.
|
|
14
16
|
*
|
|
@@ -27,6 +29,10 @@ export function restoreAccessRule(parent, schema) {
|
|
|
27
29
|
return new MatchEmailDomainAccessRule(parent, schema);
|
|
28
30
|
case 'matchResourceOwner':
|
|
29
31
|
return new MatchResourceOwnerAccessRule(parent, schema);
|
|
32
|
+
case 'matchResourceAttribute':
|
|
33
|
+
return new MatchResourceAttributeAccessRule(parent, schema);
|
|
34
|
+
case 'lifecycleStatus':
|
|
35
|
+
return new LifecycleStatusAccessRule(parent, schema);
|
|
30
36
|
case 'matchUserProperty':
|
|
31
37
|
return new MatchUserPropertyAccessRule(parent, schema);
|
|
32
38
|
case 'matchUserRole':
|