@apipass/cerbos-pep 0.0.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/lib/cerbos.decorator.d.ts +9 -0
  2. package/lib/cerbos.decorator.js +8 -0
  3. package/lib/cerbos.decorator.js.map +1 -0
  4. package/lib/cerbos.interceptor.d.ts +8 -0
  5. package/lib/cerbos.interceptor.js +74 -0
  6. package/lib/cerbos.interceptor.js.map +1 -0
  7. package/lib/index.d.ts +2 -0
  8. package/lib/index.js +19 -0
  9. package/lib/index.js.map +1 -0
  10. package/package.json +32 -0
package/lib/cerbos.decorator.d.ts ADDED
@@ -0,0 +1,9 @@
1
+ export declare const CERBOS_METADATA_KEY = "cerbos:permission";
2
+ export interface CerbosPermission {
3
+ resource: {
4
+ kind: string;
5
+ id?: string;
6
+ };
7
+ actions: string[];
8
+ }
9
+ export declare const CerbosPermission: (permission: CerbosPermission) => import("@nestjs/common").CustomDecorator<string>;
package/lib/cerbos.decorator.js ADDED
@@ -0,0 +1,8 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.CerbosPermission = exports.CERBOS_METADATA_KEY = void 0;
4
+ const common_1 = require("@nestjs/common");
5
+ exports.CERBOS_METADATA_KEY = 'cerbos:permission';
6
+ const CerbosPermission = (permission) => (0, common_1.SetMetadata)(exports.CERBOS_METADATA_KEY, permission);
7
+ exports.CerbosPermission = CerbosPermission;
8
+ //# sourceMappingURL=cerbos.decorator.js.map
package/lib/cerbos.decorator.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"cerbos.decorator.js","sourceRoot":"","sources":["../src/cerbos.decorator.ts"],"names":[],"mappings":";;;AAAA,2CAA4C;AAE/B,QAAA,mBAAmB,GAAG,mBAAmB,CAAA;AAU/C,MAAM,gBAAgB,GAAG,CAAC,UAA4B,EAAE,EAAE,CAC/D,IAAA,oBAAW,EAAC,2BAAmB,EAAE,UAAU,CAAC,CAAA;AADjC,QAAA,gBAAgB,oBACiB"}
package/lib/cerbos.interceptor.d.ts ADDED
@@ -0,0 +1,8 @@
1
+ import { type NestInterceptor, type ExecutionContext, type CallHandler } from '@nestjs/common';
2
+ import { Reflector } from '@nestjs/core';
3
+ import { type Observable } from 'rxjs';
4
+ export declare class CerbosInterceptor implements NestInterceptor {
5
+ private readonly reflector;
6
+ constructor(reflector: Reflector);
7
+ intercept(context: ExecutionContext, next: CallHandler): Promise<Observable<any>>;
8
+ }
package/lib/cerbos.interceptor.js ADDED
@@ -0,0 +1,74 @@
1
+ "use strict";
2
+ var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
7
+ };
8
+ var __metadata = (this && this.__metadata) || function (k, v) {
9
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
+ };
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.CerbosInterceptor = void 0;
13
+ const common_1 = require("@nestjs/common");
14
+ const core_1 = require("@nestjs/core");
15
+ const cerbos_decorator_1 = require("./cerbos.decorator");
16
+ let cerbosInstance = null;
17
+ async function getCerbos() {
18
+ if (!cerbosInstance) {
19
+ const { HTTP: Cerbos } = (await import('@cerbos/http'));
20
+ cerbosInstance = new Cerbos('http://127.0.0.1:3592');
21
+ }
22
+ return cerbosInstance;
23
+ }
24
+ let CerbosInterceptor = class CerbosInterceptor {
25
+ constructor(reflector) {
26
+ this.reflector = reflector;
27
+ }
28
+ async intercept(context, next) {
29
+ const permission = this.reflector.getAllAndOverride(cerbos_decorator_1.CERBOS_METADATA_KEY, [context.getHandler(), context.getClass()]);
30
+ if (!permission) {
31
+ return next.handle();
32
+ }
33
+ const ctx = context.switchToHttp();
34
+ const request = ctx.getRequest();
35
+ const role = request.headers.role?.toLowerCase();
36
+ const accountId = request.headers.account_id;
37
+ if (!role || !accountId) {
38
+ throw new common_1.ForbiddenException('Missing authorization headers');
39
+ }
40
+ const cerbosRequest = {
41
+ principal: {
42
+ id: role,
43
+ roles: [role],
44
+ attributes: { accountId }
45
+ },
46
+ resource: {
47
+ kind: permission.resource.kind,
48
+ id: permission.resource.id ?? context.getHandler().name,
49
+ attributes: {}
50
+ },
51
+ actions: permission.actions
52
+ };
53
+ try {
54
+ const cerbos = await getCerbos();
55
+ const result = await cerbos.checkResource(cerbosRequest);
56
+ const allowed = permission.actions.every((action) => result.isAllowed(action));
57
+ if (!allowed) {
58
+ throw new common_1.ForbiddenException('Access denied by Cerbos');
59
+ }
60
+ }
61
+ catch (error) {
62
+ if (error instanceof common_1.ForbiddenException)
63
+ throw error;
64
+ throw new common_1.ForbiddenException('Error checking permissions');
65
+ }
66
+ return next.handle();
67
+ }
68
+ };
69
+ exports.CerbosInterceptor = CerbosInterceptor;
70
+ exports.CerbosInterceptor = CerbosInterceptor = __decorate([
71
+ (0, common_1.Injectable)(),
72
+ __metadata("design:paramtypes", [core_1.Reflector])
73
+ ], CerbosInterceptor);
74
+ //# sourceMappingURL=cerbos.interceptor.js.map
package/lib/cerbos.interceptor.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"cerbos.interceptor.js","sourceRoot":"","sources":["../src/cerbos.interceptor.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAMuB;AACvB,uCAAwC;AAExC,yDAA+E;AAI/E,IAAI,cAAc,GAAkD,IAAI,CAAA;AAExE,KAAK,UAAU,SAAS;IACtB,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,MAAM,CAAC,cAAc,CAAC,CAAqB,CAAA;QAC3E,cAAc,GAAG,IAAI,MAAM,CAAC,uBAAuB,CAAC,CAAA;IACtD,CAAC;IACD,OAAO,cAAc,CAAA;AACvB,CAAC;AAGM,IAAM,iBAAiB,GAAvB,MAAM,iBAAiB;IAC5B,YAA8B,SAAoB;QAApB,cAAS,GAAT,SAAS,CAAW;IAAG,CAAC;IAEtD,KAAK,CAAC,SAAS,CACX,OAAyB,EACzB,IAAiB;QAEnB,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAC/C,sCAAmB,EACnB,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAC7C,CAAA;QAED,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC,MAAM,EAAE,CAAA;QACtB,CAAC;QAED,MAAM,GAAG,GAAG,OAAO,CAAC,YAAY,EAAE,CAAA;QAClC,MAAM,OAAO,GAAG,GAAG,CAAC,UAAU,EAAE,CAAA;QAEhC,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,WAAW,EAAE,CAAA;QAChD,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,UAAU,CAAA;QAE5C,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,2BAAkB,CAAC,+BAA+B,CAAC,CAAA;QAC/D,CAAC;QAED,MAAM,aAAa,GAAG;YACpB,SAAS,EAAE;gBACT,EAAE,EAAE,IAAI;gBACR,KAAK,EAAE,CAAC,IAAI,CAAC;gBACb,UAAU,EAAE,EAAE,SAAS,EAAE;aAC1B;YACD,QAAQ,EAAE;gBACR,IAAI,EAAE,UAAU,CAAC,QAAQ,CAAC,IAAI;gBAC9B,EAAE,EAAE,UAAU,CAAC,QAAQ,CAAC,EAAE,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC,IAAI;gBACvD,UAAU,EAAE,EAAE;aACf;YACD,OAAO,EAAE,UAAU,CAAC,OAAO;SAC5B,CAAA;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAA;YAEhC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,aAAa,CAAC,CAAA;YAExD,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,MAAM,EAAE,EAAE,CAChD,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAC3B,CAAA;YAED,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,2BAAkB,CAAC,yBAAyB,CAAC,CAAA;YACzD,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,2BAAkB;gBAAE,MAAM,KAAK,CAAA;YACpD,MAAM,IAAI,2BAAkB,CAAC,4BAA4B,CAAC,CAAA;QAC5D,CAAC;QAED,OAAO,IAAI,CAAC,MAAM,EAAE,CAAA;IACtB,CAAC;CACF,CAAA;AA3DY,8CAAiB;4BAAjB,iBAAiB;IAD7B,IAAA,mBAAU,GAAE;qCAE8B,gBAAS;GADvC,iBAAiB,CA2D7B"}
package/lib/index.d.ts ADDED
@@ -0,0 +1,2 @@
1
+ export * from './cerbos.decorator';
2
+ export * from './cerbos.interceptor';
package/lib/index.js ADDED
@@ -0,0 +1,19 @@
1
+ "use strict";
2
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
3
+ if (k2 === undefined) k2 = k;
4
+ var desc = Object.getOwnPropertyDescriptor(m, k);
5
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
6
+ desc = { enumerable: true, get: function() { return m[k]; } };
7
+ }
8
+ Object.defineProperty(o, k2, desc);
9
+ }) : (function(o, m, k, k2) {
10
+ if (k2 === undefined) k2 = k;
11
+ o[k2] = m[k];
12
+ }));
13
+ var __exportStar = (this && this.__exportStar) || function(m, exports) {
14
+ for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
15
+ };
16
+ Object.defineProperty(exports, "__esModule", { value: true });
17
+ __exportStar(require("./cerbos.decorator"), exports);
18
+ __exportStar(require("./cerbos.interceptor"), exports);
19
+ //# sourceMappingURL=index.js.map
package/lib/index.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,qDAAkC;AAClC,uDAAoC"}
package/package.json ADDED
@@ -0,0 +1,32 @@
1
+ {
2
+ "name": "@apipass/cerbos-pep",
3
+ "version": "0.0.67",
4
+ "description": "Cerbos PEP utility for NestJS",
5
+ "author": "Junie",
6
+ "license": "ISC",
7
+ "main": "lib/index.js",
8
+ "typings": "lib/index.d.ts",
9
+ "directories": {
10
+ "lib": "lib"
11
+ },
12
+ "files": [
13
+ "lib"
14
+ ],
15
+ "publishConfig": {
16
+ "access": "public"
17
+ },
18
+ "scripts": {
19
+ "tsc": "tsc"
20
+ },
21
+ "dependencies": {
22
+ "@cerbos/http": "^0.24.1",
23
+ "@nestjs/common": "10.4.15",
24
+ "@nestjs/core": "10.4.15",
25
+ "rxjs": "^7.8.1"
26
+ },
27
+ "peerDependencies": {
28
+ "@nestjs/common": "10.4.15",
29
+ "@nestjs/core": "10.4.15"
30
+ },
31
+ "gitHead": "a3093f396fb97251363206ddd600c21436a65587"
32
+ }