@apipass/cerbos-pep 0.0.69 → 0.0.71

package/README.md

@@ -0,0 +1,123 @@
+# @apipass/cerbos-pep
+
+[English](#english) | [Português](#português)
+
+---
+
+## English
+
+### Description
+`@apipass/cerbos-pep` is a NestJS utility designed to simplify integration with [Cerbos](https://cerbos.dev/), an open-source authorization layer. This package provides a PEP (Policy Enforcement Point) through a NestJS Interceptor that automatically validates permissions against a Cerbos PDP (Policy Decision Point).
+
+### How it works
+The interceptor intercepts incoming HTTP requests, extracts principal information (role and account id) from the request headers (`role` and `account_id`), and checks if the principal is allowed to perform specific actions on a resource defined via the `@CerbosPermission` decorator.
+
+### Usage Example
+
+#### 1. Import CerbosModule
+Register the `CerbosModule` in your `AppModule`:
+
+```typescript
+import { CerbosModule } from '@apipass/cerbos-pep';
+
+@Module({
+  imports: [
+    CerbosModule.register({
+      url: process.env.CERBOS_PDP_URL ?? 'http://127.0.0.1:3592', // Cerbos PDP URL
+    }),
+  ],
+})
+export class AppModule {}
+```
+
+#### 2. Apply the Interceptor
+You can apply the `CerbosInterceptor` globally, at the controller level, or per-route:
+
+```typescript
+import { CerbosInterceptor } from '@apipass/cerbos-pep';
+import { UseInterceptors } from '@nestjs/common';
+
+@UseInterceptors(CerbosInterceptor)
+@Controller('orders')
+export class OrdersController {}
+```
+
+#### 3. Define Permissions
+Use the `@CerbosPermission` decorator to protect your routes:
+
+```typescript
+import { CerbosPermission } from '@apipass/cerbos-pep';
+
+@Get(':id')
+@CerbosPermission({
+  resource: {
+    kind: 'order',
+  },
+  actions: ['read'],
+})
+async getOrder(@Param('id') id: string) {
+  return this.ordersService.findOne(id);
+}
+```
+
+**Note:** The interceptor expects `role` and `account_id` headers to be present in the request.
+
+---
+
+## Português
+
+### Descrição
+O `@apipass/cerbos-pep` é um utilitário para NestJS projetado para simplificar a integração com o [Cerbos](https://cerbos.dev/), uma camada de autorização de código aberto. Este pacote fornece um PEP (Policy Enforcement Point) por meio de um Interceptor do NestJS que valida automaticamente as permissões em um Cerbos PDP (Policy Decision Point).
+
+### Como funciona
+O interceptor intercepta as requisições HTTP, extrai as informações do principal (role e id da conta) dos cabeçalhos da requisição (`role` e `account_id`) e verifica se o principal tem permissão para realizar ações específicas em um recurso definido através do decorador `@CerbosPermission`.
+
+### Exemplo de Utilização
+
+#### 1. Importar o CerbosModule
+Registre o `CerbosModule` no seu `AppModule`:
+
+```typescript
+import { CerbosModule } from '@apipass/cerbos-pep';
+
+@Module({
+  imports: [
+    CerbosModule.register({
+      url: 'http://localhost:3592', // URL do Cerbos PDP
+    }),
+  ],
+})
+export class AppModule {}
+```
+
+#### 2. Aplicar o Interceptor
+Você pode aplicar o `CerbosInterceptor` globalmente, no nível do controller ou por rota:
+
+```typescript
+import { CerbosInterceptor } from '@apipass/cerbos-pep';
+import { UseInterceptors } from '@nestjs/common';
+
+@UseInterceptors(CerbosInterceptor)
+@Controller('orders')
+export class OrdersController {}
+```
+
+#### 3. Definir Permissões
+Use o decorador `@CerbosPermission` para proteger suas rotas:
+
+```typescript
+import { CerbosPermission } from '@apipass/cerbos-pep';
+
+@Get(':id')
+@CerbosPermission({
+  resource: {
+    kind: 'order',
+  },
+  actions: ['read'],
+})
+async getOrder(@Param('id') id: string) {
+  return this.ordersService.findOne(id);
+}
+```
+
+**Nota:** O interceptor espera que os headers `role` e `account_id` estejam presentes na requisição.

package/lib/adapters/cerbos-authorization.adapter.d.ts

@@ -0,0 +1,8 @@
+import { AuthorizationPort } from '../ports/authorization.port';
+import { GetQueryPlanParams } from '../get-query-plan';
+import { CerbosService } from "../cerbos.service";
+export declare class CerbosAuthorizationAdapter implements AuthorizationPort {
+    private readonly cerbosService;
+    constructor(cerbosService: CerbosService);
+    getQueryPlan(params: GetQueryPlanParams): Promise<any>;
+}

package/lib/adapters/cerbos-authorization.adapter.js

@@ -0,0 +1,28 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CerbosAuthorizationAdapter = void 0;
+const common_1 = require("@nestjs/common");
+const cerbos_service_1 = require("../cerbos.service");
+let CerbosAuthorizationAdapter = class CerbosAuthorizationAdapter {
+    constructor(cerbosService) {
+        this.cerbosService = cerbosService;
+    }
+    async getQueryPlan(params) {
+        return this.cerbosService.getQueryPlan(params);
+    }
+};
+exports.CerbosAuthorizationAdapter = CerbosAuthorizationAdapter;
+exports.CerbosAuthorizationAdapter = CerbosAuthorizationAdapter = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [cerbos_service_1.CerbosService])
+], CerbosAuthorizationAdapter);
+//# sourceMappingURL=cerbos-authorization.adapter.js.map

package/lib/adapters/cerbos-authorization.adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cerbos-authorization.adapter.js","sourceRoot":"","sources":["../../src/adapters/cerbos-authorization.adapter.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAA2C;AAG3C,sDAAkD;AAG3C,IAAM,0BAA0B,GAAhC,MAAM,0BAA0B;IACnC,YACqB,aAA4B;QAA5B,kBAAa,GAAb,aAAa,CAAe;IAC9C,CAAC;IAEJ,KAAK,CAAC,YAAY,CAAC,MAA0B;QACzC,OAAO,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,CAAA;IAClD,CAAC;CACJ,CAAA;AARY,gEAA0B;qCAA1B,0BAA0B;IADtC,IAAA,mBAAU,GAAE;qCAG2B,8BAAa;GAFxC,0BAA0B,CAQtC"}

package/lib/authorizatio-context.d.ts

@@ -0,0 +1,7 @@
+export interface AuthorizationContext {
+    role: string;
+    accountId: string;
+}
+export declare class HttpAuthorizationContextExtractor {
+    extract(req: any): AuthorizationContext;
+}

package/lib/authorizatio-context.js

@@ -0,0 +1,25 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HttpAuthorizationContextExtractor = void 0;
+const common_1 = require("@nestjs/common");
+let HttpAuthorizationContextExtractor = class HttpAuthorizationContextExtractor {
+    extract(req) {
+        const role = req.headers.role?.toLowerCase();
+        const accountId = req.headers.account_id;
+        if (!role || !accountId) {
+            throw new common_1.ForbiddenException('Missing authorization headers');
+        }
+        return { role, accountId };
+    }
+};
+exports.HttpAuthorizationContextExtractor = HttpAuthorizationContextExtractor;
+exports.HttpAuthorizationContextExtractor = HttpAuthorizationContextExtractor = __decorate([
+    (0, common_1.Injectable)()
+], HttpAuthorizationContextExtractor);
+//# sourceMappingURL=authorizatio-context.js.map

package/lib/authorizatio-context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorizatio-context.js","sourceRoot":"","sources":["../src/authorizatio-context.ts"],"names":[],"mappings":";;;;;;;;;AAAA,2CAA8D;AAQvD,IAAM,iCAAiC,GAAvC,MAAM,iCAAiC;IAC1C,OAAO,CAAC,GAAQ;QACZ,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,WAAW,EAAE,CAAA;QAC5C,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,CAAA;QAExC,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,IAAI,2BAAkB,CAAC,+BAA+B,CAAC,CAAA;QACjE,CAAC;QAED,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,CAAA;IAC9B,CAAC;CACJ,CAAA;AAXY,8EAAiC;4CAAjC,iCAAiC;IAD7C,IAAA,mBAAU,GAAE;GACA,iCAAiC,CAW7C"}

package/lib/cerbos-request-factory.d.ts

@@ -0,0 +1,19 @@
+import { AuthorizationContext } from "./authorizatio-context";
+import { CerbosPermission } from "./cerbos.decorator";
+export declare class CerbosRequestFactory {
+    static fromHttp(permission: CerbosPermission, ctx: AuthorizationContext, handlerName: string): {
+        principal: {
+            id: string;
+            roles: string[];
+            attributes: {
+                accountId: string;
+            };
+        };
+        resource: {
+            kind: string;
+            id: string;
+            attributes: {};
+        };
+        actions: string[];
+    };
+}

package/lib/cerbos-request-factory.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CerbosRequestFactory = void 0;
+class CerbosRequestFactory {
+    static fromHttp(permission, ctx, handlerName) {
+        return {
+            principal: {
+                id: ctx.role,
+                roles: [ctx.role],
+                attributes: { accountId: ctx.accountId }
+            },
+            resource: {
+                kind: permission.resource.kind,
+                id: permission.resource.id ?? handlerName,
+                attributes: {}
+            },
+            actions: permission.actions
+        };
+    }
+}
+exports.CerbosRequestFactory = CerbosRequestFactory;
+//# sourceMappingURL=cerbos-request-factory.js.map

package/lib/cerbos-request-factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cerbos-request-factory.js","sourceRoot":"","sources":["../src/cerbos-request-factory.ts"],"names":[],"mappings":";;;AAGA,MAAa,oBAAoB;IAC7B,MAAM,CAAC,QAAQ,CAAC,UAA4B,EAAE,GAAyB,EAAE,WAAmB;QACxF,OAAO;YACH,SAAS,EAAE;gBACP,EAAE,EAAE,GAAG,CAAC,IAAI;gBACZ,KAAK,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;gBACjB,UAAU,EAAE,EAAE,SAAS,EAAE,GAAG,CAAC,SAAS,EAAE;aAC3C;YACD,QAAQ,EAAE;gBACN,IAAI,EAAE,UAAU,CAAC,QAAQ,CAAC,IAAI;gBAC9B,EAAE,EAAE,UAAU,CAAC,QAAQ,CAAC,EAAE,IAAI,WAAW;gBACzC,UAAU,EAAE,EAAE;aACjB;YACD,OAAO,EAAE,UAAU,CAAC,OAAO;SAC9B,CAAA;IACL,CAAC;CACJ;AAhBD,oDAgBC"}

package/lib/cerbos.decorator.d.ts

@@ -1,5 +1,11 @@
 export declare const CERBOS_METADATA_KEY = "cerbos:permission";
+export declare const CerbosMode: {
+    readonly CHECK: "CHECK";
+    readonly QUERY_PLAN: "QUERY_PLAN";
+};
+export type CerbosMode = typeof CerbosMode[keyof typeof CerbosMode];
 export interface CerbosPermission {
+    mode?: CerbosMode;
     resource: {
         kind: string;
         id?: string;

package/lib/cerbos.decorator.js

@@ -1,8 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CerbosPermission = exports.CERBOS_METADATA_KEY = void 0;
+exports.CerbosPermission = exports.CerbosMode = exports.CERBOS_METADATA_KEY = void 0;
 const common_1 = require("@nestjs/common");
 exports.CERBOS_METADATA_KEY = 'cerbos:permission';
+exports.CerbosMode = {
+    CHECK: 'CHECK',
+    QUERY_PLAN: 'QUERY_PLAN',
+};
 const CerbosPermission = (permission) => (0, common_1.SetMetadata)(exports.CERBOS_METADATA_KEY, permission);
 exports.CerbosPermission = CerbosPermission;
 //# sourceMappingURL=cerbos.decorator.js.map

package/lib/cerbos.decorator.js.map

@@ -1 +1 @@
-{"version":3,"file":"cerbos.decorator.js","sourceRoot":"","sources":["../src/cerbos.decorator.ts"],"names":[],"mappings":";;;AAAA,2CAA4C;AAE/B,QAAA,mBAAmB,GAAG,mBAAmB,CAAA;AAU/C,MAAM,gBAAgB,GAAG,CAAC,UAA4B,EAAE,EAAE,CAC/D,IAAA,oBAAW,EAAC,2BAAmB,EAAE,UAAU,CAAC,CAAA;AADjC,QAAA,gBAAgB,oBACiB"}
+{"version":3,"file":"cerbos.decorator.js","sourceRoot":"","sources":["../src/cerbos.decorator.ts"],"names":[],"mappings":";;;AAAA,2CAA4C;AAE/B,QAAA,mBAAmB,GAAG,mBAAmB,CAAA;AACzC,QAAA,UAAU,GAAG;IACxB,KAAK,EAAE,OAAO;IACd,UAAU,EAAE,YAAY;CAChB,CAAA;AAYH,MAAM,gBAAgB,GAAG,CAAC,UAA4B,EAAE,EAAE,CAC/D,IAAA,oBAAW,EAAC,2BAAmB,EAAE,UAAU,CAAC,CAAA;AADjC,QAAA,gBAAgB,oBACiB"}

package/lib/cerbos.interceptor.d.ts

@@ -1,12 +1,11 @@
 import { type NestInterceptor, type ExecutionContext, type CallHandler } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
-import { type Observable } from 'rxjs';
-import type { CerbosModuleOptions } from './cerbos.module';
+import { CerbosService } from './cerbos.service';
+import { HttpAuthorizationContextExtractor } from "./authorizatio-context";
 export declare class CerbosInterceptor implements NestInterceptor {
     private readonly reflector;
-    private readonly config;
-    private cerbosInstance;
-    constructor(reflector: Reflector, config: CerbosModuleOptions);
-    private getCerbos;
-    intercept(context: ExecutionContext, next: CallHandler): Promise<Observable<any>>;
+    private readonly cerbosService;
+    private readonly extractor;
+    constructor(reflector: Reflector, cerbosService: CerbosService, extractor: HttpAuthorizationContextExtractor);
+    intercept(context: ExecutionContext, next: CallHandler): Promise<import("rxjs").Observable<any>>;
 }

package/lib/cerbos.interceptor.js

@@ -8,65 +8,40 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
 var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-var __param = (this && this.__param) || function (paramIndex, decorator) {
-    return function (target, key) { decorator(target, key, paramIndex); }
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.CerbosInterceptor = void 0;
 const common_1 = require("@nestjs/common");
 const core_1 = require("@nestjs/core");
 const cerbos_decorator_1 = require("./cerbos.decorator");
+const cerbos_service_1 = require("./cerbos.service");
+const cerbos_request_factory_1 = require("./cerbos-request-factory");
+const authorizatio_context_1 = require("./authorizatio-context");
 let CerbosInterceptor = class CerbosInterceptor {
-    constructor(reflector, config) {
+    constructor(reflector, cerbosService, extractor) {
         this.reflector = reflector;
-        this.config = config;
-        this.cerbosInstance = null;
-    }
-    async getCerbos() {
-        if (!this.cerbosInstance) {
-            const { HTTP: Cerbos } = (await import('@cerbos/http'));
-            this.cerbosInstance = new Cerbos(this.config.url);
-        }
-        return this.cerbosInstance;
+        this.cerbosService = cerbosService;
+        this.extractor = extractor;
     }
     async intercept(context, next) {
         const permission = this.reflector.getAllAndOverride(cerbos_decorator_1.CERBOS_METADATA_KEY, [context.getHandler(), context.getClass()]);
         if (!permission) {
             return next.handle();
         }
-        const ctx = context.switchToHttp();
-        const request = ctx.getRequest();
-        const role = request.headers.role?.toLowerCase();
-        const accountId = request.headers.account_id;
-        if (!role || !accountId) {
-            throw new common_1.ForbiddenException('Missing authorization headers');
+        if (permission.mode === cerbos_decorator_1.CerbosMode.QUERY_PLAN) {
+            return next.handle();
         }
-        const cerbosRequest = {
-            principal: {
-                id: role,
-                roles: [role],
-                attributes: { accountId }
-            },
-            resource: {
-                kind: permission.resource.kind,
-                id: permission.resource.id ?? context.getHandler().name,
-                attributes: {}
-            },
-            actions: permission.actions
-        };
+        const request = context.switchToHttp().getRequest();
+        const authContext = this.extractor.extract(request);
+        const cerbosRequest = cerbos_request_factory_1.CerbosRequestFactory.fromHttp(permission, authContext, context.getHandler().name);
         try {
-            const cerbos = await this.getCerbos();
-            const result = await cerbos.checkResource(cerbosRequest);
+            const result = await this.cerbosService.getCheckResource(cerbosRequest);
             const allowed = permission.actions.every((action) => result.isAllowed(action));
-            console.log('cerbos result: ', allowed);
             if (!allowed) {
                 throw new common_1.ForbiddenException('Access denied by Cerbos');
             }
         }
         catch (error) {
-            if (error instanceof common_1.ForbiddenException)
-                throw error;
-            throw new common_1.ForbiddenException('Error checking permissions');
+            throw new common_1.ForbiddenException(`Error - ${error}`);
         }
         return next.handle();
     }
@@ -74,7 +49,8 @@ let CerbosInterceptor = class CerbosInterceptor {
 exports.CerbosInterceptor = CerbosInterceptor;
 exports.CerbosInterceptor = CerbosInterceptor = __decorate([
     (0, common_1.Injectable)(),
-    __param(1, (0, common_1.Inject)('CERBOS_PDP_URL')),
-    __metadata("design:paramtypes", [core_1.Reflector, Object])
+    __metadata("design:paramtypes", [core_1.Reflector,
+        cerbos_service_1.CerbosService,
+        authorizatio_context_1.HttpAuthorizationContextExtractor])
 ], CerbosInterceptor);
 //# sourceMappingURL=cerbos.interceptor.js.map

package/lib/cerbos.interceptor.js.map

@@ -1 +1 @@
-{"version":3,"file":"cerbos.interceptor.js","sourceRoot":"","sources":["../src/cerbos.interceptor.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,2CAOuB;AACvB,uCAAwC;AAExC,yDAA+E;AAMxE,IAAM,iBAAiB,GAAvB,MAAM,iBAAiB;IAG5B,YACqB,SAAoB,EACX,MAA4C;QADrD,cAAS,GAAT,SAAS,CAAW;QACM,WAAM,GAAN,MAAM,CAAqB;QAJlE,mBAAc,GAAe,IAAI,CAAA;IAKtC,CAAC;IAEI,KAAK,CAAC,SAAS;QACrB,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,MAAM,CAAC,cAAc,CAAC,CAAqB,CAAA;YAC3E,IAAI,CAAC,cAAc,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QACnD,CAAC;QACD,OAAO,IAAI,CAAC,cAAc,CAAA;IAC5B,CAAC;IAED,KAAK,CAAC,SAAS,CACX,OAAyB,EACzB,IAAiB;QAEnB,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAC/C,sCAAmB,EACnB,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAC7C,CAAA;QAED,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC,MAAM,EAAE,CAAA;QACtB,CAAC;QAED,MAAM,GAAG,GAAG,OAAO,CAAC,YAAY,EAAE,CAAA;QAClC,MAAM,OAAO,GAAG,GAAG,CAAC,UAAU,EAAE,CAAA;QAEhC,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,WAAW,EAAE,CAAA;QAChD,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,UAAU,CAAA;QAE5C,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,2BAAkB,CAAC,+BAA+B,CAAC,CAAA;QAC/D,CAAC;QAED,MAAM,aAAa,GAAG;YACpB,SAAS,EAAE;gBACT,EAAE,EAAE,IAAI;gBACR,KAAK,EAAE,CAAC,IAAI,CAAC;gBACb,UAAU,EAAE,EAAE,SAAS,EAAE;aAC1B;YACD,QAAQ,EAAE;gBACR,IAAI,EAAE,UAAU,CAAC,QAAQ,CAAC,IAAI;gBAC9B,EAAE,EAAE,UAAU,CAAC,QAAQ,CAAC,EAAE,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC,IAAI;gBACvD,UAAU,EAAE,EAAE;aACf;YACD,OAAO,EAAE,UAAU,CAAC,OAAO;SAC5B,CAAA;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAA;YAErC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,aAAa,CAAC,CAAA;YAExD,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,MAAM,EAAE,EAAE,CAChD,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAC3B,CAAA;YACD,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAA;YACvC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,2BAAkB,CAAC,yBAAyB,CAAC,CAAA;YACzD,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,2BAAkB;gBAAE,MAAM,KAAK,CAAA;YACpD,MAAM,IAAI,2BAAkB,CAAC,4BAA4B,CAAC,CAAA;QAC5D,CAAC;QAED,OAAO,IAAI,CAAC,MAAM,EAAE,CAAA;IACtB,CAAC;CACF,CAAA;AAxEY,8CAAiB;4BAAjB,iBAAiB;IAD7B,IAAA,mBAAU,GAAE;IAMN,WAAA,IAAA,eAAM,EAAC,gBAAgB,CAAC,CAAA;qCADG,gBAAS;GAJ9B,iBAAiB,CAwE7B"}
+{"version":3,"file":"cerbos.interceptor.js","sourceRoot":"","sources":["../src/cerbos.interceptor.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAMuB;AACvB,uCAAwC;AACxC,yDAAyF;AACzF,qDAAgD;AAChD,qEAA8D;AAC9D,iEAAyE;AAKlE,IAAM,iBAAiB,GAAvB,MAAM,iBAAiB;IAC5B,YACqB,SAAoB,EACpB,aAA4B,EAC5B,SAA4C;QAF5C,cAAS,GAAT,SAAS,CAAW;QACpB,kBAAa,GAAb,aAAa,CAAe;QAC5B,cAAS,GAAT,SAAS,CAAmC;IAC9D,CAAC;IAEJ,KAAK,CAAC,SAAS,CAAC,OAAyB,EAAE,IAAiB;QAC1D,MAAM,UAAU,GAAqB,IAAI,CAAC,SAAS,CAAC,iBAAiB,CACjE,sCAAmB,EACnB,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAC7C,CAAA;QAED,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC,MAAM,EAAE,CAAA;QACtB,CAAC;QAED,IAAI,UAAU,CAAC,IAAI,KAAK,6BAAU,CAAC,UAAU,EAAE,CAAC;YAC9C,OAAO,IAAI,CAAC,MAAM,EAAE,CAAA;QACtB,CAAC;QAED,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAA;QACnD,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;QAEnD,MAAM,aAAa,GAAG,6CAAoB,CAAC,QAAQ,CAC/C,UAAU,EACV,WAAW,EACX,OAAO,CAAC,UAAU,EAAE,CAAC,IAAI,CAC5B,CAAA;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAyB,MAAM,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAC,aAAa,CAAC,CAAA;YAC7F,MAAM,OAAO,GAAY,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,MAAM,EAAE,EAAE,CACzD,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAC3B,CAAA;YACD,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,2BAAkB,CAAC,yBAAyB,CAAC,CAAA;YACzD,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,2BAAkB,CAAC,WAAW,KAAK,EAAE,CAAC,CAAA;QAClD,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,EAAE,CAAA;IACtB,CAAC;CAEF,CAAA;AA5CY,8CAAiB;4BAAjB,iBAAiB;IAD7B,IAAA,mBAAU,GAAE;qCAGqB,gBAAS;QACL,8BAAa;QACjB,wDAAiC;GAJtD,iBAAiB,CA4C7B"}

package/lib/cerbos.module.js

@@ -10,6 +10,9 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.CerbosModule = void 0;
 const common_1 = require("@nestjs/common");
 const cerbos_interceptor_1 = require("./cerbos.interceptor");
+const cerbos_service_1 = require("./cerbos.service");
+const cerbos_authorization_adapter_1 = require("./adapters/cerbos-authorization.adapter");
+const authorization_port_1 = require("./ports/authorization.port");
 let CerbosModule = CerbosModule_1 = class CerbosModule {
     static register(options) {
         return {
@@ -19,9 +22,18 @@ let CerbosModule = CerbosModule_1 = class CerbosModule {
                     provide: 'CERBOS_PDP_URL',
                     useValue: options,
                 },
+                cerbos_service_1.CerbosService,
                 cerbos_interceptor_1.CerbosInterceptor,
+                {
+                    provide: authorization_port_1.AUTHORIZATION_PORT,
+                    useClass: cerbos_authorization_adapter_1.CerbosAuthorizationAdapter,
+                }
             ],
-            exports: [cerbos_interceptor_1.CerbosInterceptor, 'CERBOS_PDP_URL'],
+            exports: [cerbos_service_1.CerbosService,
+                cerbos_interceptor_1.CerbosInterceptor,
+                'CERBOS_PDP_URL',
+                authorization_port_1.AUTHORIZATION_PORT,
+                cerbos_interceptor_1.CerbosInterceptor],
         };
     }
 };

package/lib/cerbos.module.js.map

@@ -1 +1 @@
-{"version":3,"file":"cerbos.module.js","sourceRoot":"","sources":["../src/cerbos.module.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,2CAA+D;AAC/D,6DAAyD;AAQlD,IAAM,YAAY,oBAAlB,MAAM,YAAY;IACvB,MAAM,CAAC,QAAQ,CAAC,OAA4B;QAC1C,OAAO;YACL,MAAM,EAAE,cAAY;YACpB,SAAS,EAAE;gBACT;oBACE,OAAO,EAAE,gBAAgB;oBACzB,QAAQ,EAAE,OAAO;iBAClB;gBACD,sCAAiB;aAClB;YACD,OAAO,EAAE,CAAC,sCAAiB,EAAE,gBAAgB,CAAC;SAC/C,CAAC;IACJ,CAAC;CACF,CAAA;AAdY,oCAAY;uBAAZ,YAAY;IAFxB,IAAA,eAAM,GAAE;IACR,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,YAAY,CAcxB"}
+{"version":3,"file":"cerbos.module.js","sourceRoot":"","sources":["../src/cerbos.module.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,2CAA+D;AAC/D,6DAAyD;AACzD,qDAAiD;AACjD,0FAAqF;AACrF,mEAAgE;AAQzD,IAAM,YAAY,oBAAlB,MAAM,YAAY;IACvB,MAAM,CAAC,QAAQ,CAAC,OAA4B;QAC1C,OAAO;YACL,MAAM,EAAE,cAAY;YACpB,SAAS,EAAE;gBACT;oBACE,OAAO,EAAE,gBAAgB;oBACzB,QAAQ,EAAE,OAAO;iBAClB;gBACD,8BAAa;gBACb,sCAAiB;gBACjB;oBACE,OAAO,EAAE,uCAAkB;oBAC3B,QAAQ,EAAE,yDAA0B;iBACrC;aACF;YACD,OAAO,EAAE,CAAC,8BAAa;gBACrB,sCAAiB;gBACjB,gBAAgB;gBAChB,uCAAkB;gBAClB,sCAAiB,CAAC;SACrB,CAAC;IACJ,CAAC;CACF,CAAA;AAvBY,oCAAY;uBAAZ,YAAY;IAFxB,IAAA,eAAM,GAAE;IACR,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,YAAY,CAuBxB"}

package/lib/cerbos.service.d.ts

@@ -0,0 +1,11 @@
+import type { CerbosModuleOptions } from './cerbos.module';
+import type { CheckResourceRequest, CheckResourcesResult } from '@cerbos/core' with { 'resolution-mode': 'import' };
+import { GetQueryPlanParams } from "./get-query-plan";
+export declare class CerbosService {
+    private readonly config;
+    private cerbos;
+    constructor(config: CerbosModuleOptions);
+    private getCerbos;
+    getCheckResource(request: CheckResourceRequest): Promise<CheckResourcesResult>;
+    getQueryPlan(params: GetQueryPlanParams): Promise<any>;
+}

package/lib/cerbos.service.js

@@ -0,0 +1,54 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CerbosService = void 0;
+const common_1 = require("@nestjs/common");
+let CerbosService = class CerbosService {
+    constructor(config) {
+        this.config = config;
+    }
+    async getCerbos() {
+        if (!this.cerbos) {
+            const { HTTP: Cerbos } = (await import('@cerbos/http'));
+            this.cerbos = new Cerbos(this.config.url);
+        }
+        return this.cerbos;
+    }
+    async getCheckResource(request) {
+        const cerbos = await this.getCerbos();
+        return cerbos.checkResource(request);
+    }
+    async getQueryPlan(params) {
+        const cerbos = await this.getCerbos();
+        const { principal, resourceKind, action } = params;
+        return cerbos.planResources({
+            principal: {
+                id: principal.id,
+                roles: principal.roles,
+                attributes: principal.attributes
+            },
+            resource: {
+                kind: resourceKind
+            },
+            action
+        });
+    }
+};
+exports.CerbosService = CerbosService;
+exports.CerbosService = CerbosService = __decorate([
+    (0, common_1.Injectable)(),
+    __param(0, (0, common_1.Inject)('CERBOS_PDP_URL')),
+    __metadata("design:paramtypes", [Object])
+], CerbosService);
+//# sourceMappingURL=cerbos.service.js.map

package/lib/cerbos.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cerbos.service.js","sourceRoot":"","sources":["../src/cerbos.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,2CAAoD;AAQ7C,IAAM,aAAa,GAAnB,MAAM,aAAa;IAGxB,YAAuD,MAA2B;QAA3B,WAAM,GAAN,MAAM,CAAqB;IAC/E,CAAC;IAEI,KAAK,CAAC,SAAS;QACrB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,MAAM,CAAC,cAAc,CAAC,CAAgC,CAAC;YACvF,IAAI,CAAC,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC5C,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,OAA6B;QAClD,MAAM,MAAM,GAAS,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QAC5C,OAAO,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC;IAEM,KAAK,CAAC,YAAY,CAAE,MAA0B;QACnD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAA;QAErC,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,MAAM,CAAA;QAElD,OAAO,MAAM,CAAC,aAAa,CAAC;YAC1B,SAAS,EAAE;gBACT,EAAE,EAAE,SAAS,CAAC,EAAE;gBAChB,KAAK,EAAE,SAAS,CAAC,KAAK;gBACtB,UAAU,EAAE,SAAS,CAAC,UAAU;aACjC;YACD,QAAQ,EAAE;gBACR,IAAI,EAAE,YAAY;aACnB;YACD,MAAM;SACP,CAAC,CAAA;IACJ,CAAC;CAEF,CAAA;AArCY,sCAAa;wBAAb,aAAa;IADzB,IAAA,mBAAU,GAAE;IAIE,WAAA,IAAA,eAAM,EAAC,gBAAgB,CAAC,CAAA;;GAH1B,aAAa,CAqCzB"}

package/lib/get-query-plan.d.ts

@@ -0,0 +1,10 @@
+export interface Principal {
+    id: string;
+    roles: string[];
+    attributes: Record<string, any>;
+}
+export interface GetQueryPlanParams {
+    principal: Principal;
+    resourceKind: string;
+    action: string;
+}

package/lib/get-query-plan.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=get-query-plan.js.map

package/lib/get-query-plan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"get-query-plan.js","sourceRoot":"","sources":["../src/get-query-plan.ts"],"names":[],"mappings":""}

package/lib/index.d.ts

@@ -1,3 +1,4 @@
 export * from './cerbos.decorator';
 export * from './cerbos.interceptor';
 export * from './cerbos.module';
+export * from './ports/authorization.port';

package/lib/index.js

@@ -17,4 +17,5 @@ Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./cerbos.decorator"), exports);
 __exportStar(require("./cerbos.interceptor"), exports);
 __exportStar(require("./cerbos.module"), exports);
+__exportStar(require("./ports/authorization.port"), exports);
 //# sourceMappingURL=index.js.map

package/lib/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,qDAAkC;AAClC,uDAAoC;AACpC,kDAA+B"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,qDAAkC;AAClC,uDAAoC;AACpC,kDAA+B;AAC/B,6DAA0C"}

package/lib/ports/authorization.port.d.ts

@@ -0,0 +1,13 @@
+export declare const AUTHORIZATION_PORT: unique symbol;
+export interface AuthorizationPort {
+    getQueryPlan(params: GetQueryPlanParams): Promise<unknown>;
+}
+export interface GetQueryPlanParams {
+    principal: {
+        id: string;
+        roles: string[];
+        attributes: Record<string, any>;
+    };
+    resourceKind: string;
+    action: string;
+}

package/lib/ports/authorization.port.js

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AUTHORIZATION_PORT = void 0;
+exports.AUTHORIZATION_PORT = Symbol('AuthorizationPort');
+//# sourceMappingURL=authorization.port.js.map

package/lib/ports/authorization.port.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization.port.js","sourceRoot":"","sources":["../../src/ports/authorization.port.ts"],"names":[],"mappings":";;;AAAa,QAAA,kBAAkB,GAAG,MAAM,CAAC,mBAAmB,CAAC,CAAA"}

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@apipass/cerbos-pep",
-  "version": "0.0.69",
+  "version": "0.0.71",
   "description": "Cerbos PEP utility for NestJS",
-  "author": "Junie",
+  "author": "raul@apipass.com.br",
   "license": "ISC",
   "main": "lib/index.js",
   "typings": "lib/index.d.ts",
@@ -28,5 +28,5 @@
     "@nestjs/common": "10.4.15",
     "@nestjs/core": "10.4.15"
   },
-  "gitHead": "6f891b90de3603538170f842c4909b5b677f14e2"
+  "gitHead": "cbcf6439e0d49368a46d698ef3384af079df587f"
 }