@backstage-community/plugin-rbac-backend 5.2.4 → 5.2.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +12 -0
- package/dist/admin-permissions/admin-creation.cjs.js +1 -3
- package/dist/admin-permissions/admin-creation.cjs.js.map +1 -1
- package/dist/audit-log/audit-logger.cjs.js.map +1 -1
- package/dist/audit-log/rest-errors-interceptor.cjs.js.map +1 -1
- package/dist/conditional-aliases/alias-resolver.cjs.js.map +1 -1
- package/dist/database/casbin-adapter-factory.cjs.js.map +1 -1
- package/dist/database/conditional-storage.cjs.js.map +1 -1
- package/dist/database/migration.cjs.js.map +1 -1
- package/dist/database/role-metadata.cjs.js.map +1 -1
- package/dist/file-permissions/csv-file-watcher.cjs.js +4 -30
- package/dist/file-permissions/csv-file-watcher.cjs.js.map +1 -1
- package/dist/file-permissions/file-watcher.cjs.js.map +1 -1
- package/dist/file-permissions/yaml-conditional-file-watcher.cjs.js +2 -6
- package/dist/file-permissions/yaml-conditional-file-watcher.cjs.js.map +1 -1
- package/dist/helper.cjs.js.map +1 -1
- package/dist/plugin.cjs.js.map +1 -1
- package/dist/policies/allow-all-policy.cjs.js.map +1 -1
- package/dist/policies/permission-policy.cjs.js +1 -3
- package/dist/policies/permission-policy.cjs.js.map +1 -1
- package/dist/providers/connect-providers.cjs.js +1 -1
- package/dist/providers/connect-providers.cjs.js.map +1 -1
- package/dist/role-manager/ancestor-search-memo.cjs.js.map +1 -1
- package/dist/role-manager/member-list.cjs.js.map +1 -1
- package/dist/role-manager/role-manager.cjs.js.map +1 -1
- package/dist/service/enforcer-delegate.cjs.js +72 -10
- package/dist/service/enforcer-delegate.cjs.js.map +1 -1
- package/dist/service/permission-model.cjs.js.map +1 -1
- package/dist/service/plugin-endpoints.cjs.js.map +1 -1
- package/dist/service/policies-rest-api.cjs.js +4 -12
- package/dist/service/policies-rest-api.cjs.js.map +1 -1
- package/dist/service/policy-builder.cjs.js.map +1 -1
- package/dist/service/router.cjs.js.map +1 -1
- package/dist/validation/condition-validation.cjs.js.map +1 -1
- package/dist/validation/policies-validation.cjs.js.map +1 -1
- package/package.json +14 -4
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"role-manager.cjs.js","sources":["../../src/role-manager/role-manager.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport type { CatalogApi } from '@backstage/catalog-client';\nimport { parseEntityRef } from '@backstage/catalog-model';\nimport type { Config } from '@backstage/config';\n\nimport { RoleManager } from 'casbin';\nimport { Knex } from 'knex';\n\nimport { AncestorSearchMemo } from './ancestor-search-memo';\nimport { RoleMemberList } from './member-list';\n\nexport class BackstageRoleManager implements RoleManager {\n private allRoles: Map<string, RoleMemberList>;\n private maxDepth?: number;\n constructor(\n private readonly catalogApi: CatalogApi,\n private readonly logger: LoggerService,\n private readonly catalogDBClient: Knex,\n private readonly rbacDBClient: Knex,\n private readonly config: Config,\n private readonly auth: AuthService,\n ) {\n this.allRoles = new Map<string, RoleMemberList>();\n const rbacConfig = this.config.getOptionalConfig('permission.rbac');\n this.maxDepth = rbacConfig?.getOptionalNumber('maxDepth');\n if (this.maxDepth !== undefined && this.maxDepth! < 0) {\n throw new Error(\n 'Max Depth for RBAC group hierarchy must be greater than or equal to zero',\n );\n }\n }\n\n /**\n * clear clears all stored data and resets the role manager to the initial state.\n */\n async clear(): Promise<void> {\n // do nothing\n }\n\n /**\n * addLink adds the inheritance link between name1 and role: name2.\n * aka name1 inherits role: name2.\n * The link that is established is based on the defined grouping policies that are added by the enforcer.\n *\n * ex. `g, name1, name2`.\n * @param name1 User or group that will be assigned to a role.\n * @param name2 The role that will be created or updated.\n * @param _domain Unimplemented prefix to the role.\n */\n async addLink(\n name1: string,\n name2: string,\n ..._domain: string[]\n ): Promise<void> {\n if (!this.isPGClient()) {\n const role1 = this.getOrCreateRole(name2);\n role1.addMember(name1);\n }\n }\n\n /**\n * deleteLink deletes the inheritance link between name1 and role: name2.\n * aka name1 does not inherit role: name2 any more.\n * The link that is deleted is based on the defined grouping policies that are removed by the enforcer.\n *\n * ex. `g, name1, name2`.\n * @param name1 User or group that will be removed from assignment of a role.\n * @param name2 The role that will be deleted or updated.\n * @param _domain Unimplemented.\n */\n async deleteLink(\n name1: string,\n name2: string,\n ..._domain: string[]\n ): Promise<void> {\n if (!this.isPGClient()) {\n const role1 = this.getOrCreateRole(name2);\n role1.deleteMember(name1);\n\n // Clean up in the event that there are no more members in the role\n if (role1.getMembers().length === 0) {\n this.allRoles.delete(name2);\n }\n }\n }\n\n /**\n * hasLink determines whether name1 inherits role: name2.\n * During this check we build the group hierarchy graph to determine if the particular user is directly or indirectly\n * attached to the role that we are receiving.\n * In the event that there is a postgres database connection, we will attempt to query the roles from the database.\n * Otherwise we will use the cached allRoles to determine if there is a link.\n * @param name1 The user that we are authorizing.\n * @param name2 The name of the role that we are checking against.\n * @param domain Unimplemented.\n * @returns True if the user is directly or indirectly attached to the role.\n */\n async hasLink(\n name1: string,\n name2: string,\n ...domain: string[]\n ): Promise<boolean> {\n let currentRole: RoleMemberList;\n if (domain.length > 0) {\n throw new Error('domain argument is not supported.');\n }\n\n // Name2 can be an empty string in the event that there is not a role associated with the user\n // This happens because of the filtering of the roles reduces the number of roles that we iterate through.\n if (name2.length === 0) {\n return false;\n }\n\n if (name1 === name2) {\n return true;\n }\n\n if (this.isPGClient()) {\n currentRole = new RoleMemberList(name2);\n await currentRole.buildMembers(currentRole, this.rbacDBClient);\n } else {\n currentRole = this.allRoles.get(name2)!;\n }\n\n // Check for direct declaration of user to role\n const directDeclaration = await this.checkForUserToRole(\n name1,\n name2,\n currentRole,\n );\n if (directDeclaration) {\n return true;\n }\n\n // name1 is always user in our case.\n // name2 is user or group.\n // user(name1) couldn't inherit user(name2).\n // We can use this fact for optimization.\n const { kind } = parseEntityRef(name2);\n if (kind.toLocaleLowerCase() === 'user') {\n return false;\n }\n\n const memo = new AncestorSearchMemo(\n name1,\n this.catalogApi,\n this.catalogDBClient,\n this.auth,\n this.maxDepth,\n );\n await memo.buildUserGraph(memo);\n\n memo.debugNodesAndEdges(this.logger, name1);\n if (!memo.isAcyclic()) {\n const cycles = memo.findCycles();\n\n this.logger.warn(\n `Detected cycle dependencies in the Group graph: ${JSON.stringify(\n cycles,\n )}. Admin/(catalog owner) have to fix it to make RBAC permission evaluation correct for groups: ${JSON.stringify(\n cycles,\n )}`,\n );\n\n return false;\n }\n\n if (\n this.parseEntityKind(name2) === 'role' &&\n this.hasMember(currentRole, memo)\n ) {\n return true;\n }\n return memo.hasEntityRef(name2);\n }\n\n /**\n * syncedHasLink determines whether role: name1 inherits role: name2.\n * domain is a prefix to the roles.\n */\n syncedHasLink?(\n _name1: string,\n _name2: string,\n ..._domain: string[]\n ): boolean {\n throw new Error('Method \"syncedHasLink\" not implemented.');\n }\n\n /**\n * getRoles gets the roles that a subject inherits.\n *\n * name - is a string entity reference, for example: user:default/tom, role:default/dev,\n * so format is <kind>:<namespace>/<entity-name>.\n * GetRoles method supports only two kind values: 'user' and 'role'.\n *\n * domain - is a prefix to the roles, unused parameter.\n *\n * If name's kind === 'user' we return all inherited roles from groups and roles directly assigned to the user.\n * if name's kind === 'role' we return empty array, because we don't support role inheritance.\n * Case kind === 'group' - should not happen, because:\n * 1) Method getRoles returns only role entity references, so casbin engine doesn't call this\n * method again to ask about name with kind \"group\".\n * 2) We implemented getRoles method only to use:\n * 'await enforcer.getImplicitPermissionsForUser(userEntityRef)',\n * so name argument can be only with kind 'user' or 'role'.\n *\n * Info: when we call 'await enforcer.getImplicitPermissionsForUser(userEntityRef)',\n * then casbin engine executes 'getRoles' method few times.\n * Firstly casbin asks about roles for 'userEntityRef'.\n * Let's imagine, that 'getRoles' returned two roles for userEntityRef.\n * Then casbin calls 'getRoles' two more times to\n * find parent roles. But we return empty array for each such call,\n * because we don't support role inheritance and we notify casbin about end of the role sub-tree.\n */\n async getRoles(name: string, ..._domain: string[]): Promise<string[]> {\n const { kind } = parseEntityRef(name);\n if (kind === 'user') {\n const memo = new AncestorSearchMemo(\n name,\n this.catalogApi,\n this.catalogDBClient,\n this.auth,\n this.maxDepth,\n );\n await memo.buildUserGraph(memo);\n memo.debugNodesAndEdges(this.logger, name);\n\n if (this.isPGClient()) {\n const currentRole = new RoleMemberList(name);\n await currentRole.buildRoles(\n currentRole,\n memo.getNodes(),\n this.rbacDBClient,\n );\n return Promise.resolve(currentRole.getRoles());\n }\n\n const allRoles: string[] = [];\n // Account for the user not being in the graph\n memo.setNode(name);\n for (const value of this.allRoles.values()) {\n if (this.hasMember(value, memo)) {\n allRoles.push(value.name);\n }\n }\n\n return Promise.resolve(allRoles);\n }\n\n return [];\n }\n\n /**\n * getUsers gets the users that inherits a subject.\n * domain is an unreferenced parameter here, may be used in other implementations.\n */\n async getUsers(_name: string, ..._domain: string[]): Promise<string[]> {\n throw new Error('Method \"getUsers\" not implemented.');\n }\n\n /**\n * printRoles prints all the roles to log.\n */\n async printRoles(): Promise<void> {\n // do nothing\n }\n\n /**\n * getOrCreateRole will get a role if it has already been cached\n * or it will create a new role to be cached.\n * This cache is a simple tree that is used to quickly compare\n * users and groups to roles.\n * @param name The user or group whose cache we will be getting / creating.\n * @returns The cached role as a RoleList.\n */\n private getOrCreateRole(name: string): RoleMemberList {\n const role = this.allRoles.get(name);\n if (role) {\n return role;\n }\n const newRole = new RoleMemberList(name);\n this.allRoles.set(name, newRole);\n\n return newRole;\n }\n\n // parse the entity to find out if it is a user / group / or role\n private parseEntityKind(name: string): string {\n const parsed = name.split(':');\n return parsed[0];\n }\n\n /**\n * isPGClient checks what the current database client is at them time.\n * This is to ensure that we are querying the database in the event of postgres\n * or using in memory cache for better sqlite3.\n * @returns True if the database client is pg.\n */\n isPGClient(): boolean {\n const client = this.rbacDBClient.client.config.client;\n return client === 'pg';\n }\n\n /**\n * checkForUserToRole checks if there exists a direct declaration of a user to a role. Used to exit out of\n * hasLink faster in the event to reduce the time it would take to build the user graph.\n * @param name1 The user that we are checking for.\n * @param name2 The role that we are checking for.\n * @returns True if there is a user that is directly attached to a particular role.\n */\n private async checkForUserToRole(\n name1: string,\n name2: string,\n currentRole: RoleMemberList | undefined,\n ): Promise<boolean | undefined> {\n const tempRole = this.getOrCreateRole(name2);\n\n // Immediately check if the our temporary role has a link with the role that we are comparing it to\n if (this.parseEntityKind(name2) === 'role' && tempRole.hasMember(name1)) {\n return true;\n }\n\n // Clean up the temp role\n if (tempRole.getMembers().length === 0) {\n this.allRoles.delete(name2);\n }\n\n if (currentRole && currentRole.hasMember(name1)) {\n return true;\n }\n\n return undefined;\n }\n\n /**\n * hasMember checks if the members from a particular role is associated with the user\n * that the AncestorSearchMemo graph is built for.\n * @param role The role that we are getting the members from.\n * @param memo The user graph that we are comparing members with.\n * @returns True if a member from the role is also associated with the user.\n */\n private hasMember(\n role: RoleMemberList | undefined,\n memo: AncestorSearchMemo,\n ): boolean {\n if (role === undefined) {\n return false;\n }\n\n for (const member of role.getMembers()) {\n if (memo.hasEntityRef(member)) {\n return true;\n }\n }\n return false;\n }\n}\n"],"names":["RoleMemberList","parseEntityRef","AncestorSearchMemo"],"mappings":";;;;;;AA0BO,MAAM,oBAA4C,CAAA;AAAA,EAGvD,YACmB,UACA,EAAA,MAAA,EACA,eACA,EAAA,YAAA,EACA,QACA,IACjB,EAAA;AANiB,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA,CAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA,CAAA;AACA,IAAA,IAAA,CAAA,eAAA,GAAA,eAAA,CAAA;AACA,IAAA,IAAA,CAAA,YAAA,GAAA,YAAA,CAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA,CAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA,CAAA;AAEjB,IAAK,IAAA,CAAA,QAAA,uBAAe,GAA4B,EAAA,CAAA;AAChD,IAAA,MAAM,UAAa,GAAA,IAAA,CAAK,MAAO,CAAA,iBAAA,CAAkB,iBAAiB,CAAA,CAAA;AAClE,IAAK,IAAA,CAAA,QAAA,GAAW,UAAY,EAAA,iBAAA,CAAkB,UAAU,CAAA,CAAA;AACxD,IAAA,IAAI,IAAK,CAAA,QAAA,KAAa,KAAa,CAAA,IAAA,IAAA,CAAK,WAAY,CAAG,EAAA;AACrD,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,0EAAA;AAAA,OACF,CAAA;AAAA,KACF;AAAA,GACF;AAAA,EAlBQ,QAAA,CAAA;AAAA,EACA,QAAA,CAAA;AAAA;AAAA;AAAA;AAAA,EAsBR,MAAM,KAAuB,GAAA;AAAA,GAE7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,OAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,OACY,EAAA;AACf,IAAI,IAAA,CAAC,IAAK,CAAA,UAAA,EAAc,EAAA;AACtB,MAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,eAAA,CAAgB,KAAK,CAAA,CAAA;AACxC,MAAA,KAAA,CAAM,UAAU,KAAK,CAAA,CAAA;AAAA,KACvB;AAAA,GACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,UAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,OACY,EAAA;AACf,IAAI,IAAA,CAAC,IAAK,CAAA,UAAA,EAAc,EAAA;AACtB,MAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,eAAA,CAAgB,KAAK,CAAA,CAAA;AACxC,MAAA,KAAA,CAAM,aAAa,KAAK,CAAA,CAAA;AAGxB,MAAA,IAAI,KAAM,CAAA,UAAA,EAAa,CAAA,MAAA,KAAW,CAAG,EAAA;AACnC,QAAK,IAAA,CAAA,QAAA,CAAS,OAAO,KAAK,CAAA,CAAA;AAAA,OAC5B;AAAA,KACF;AAAA,GACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,OAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,MACe,EAAA;AAClB,IAAI,IAAA,WAAA,CAAA;AACJ,IAAI,IAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACrB,MAAM,MAAA,IAAI,MAAM,mCAAmC,CAAA,CAAA;AAAA,KACrD;AAIA,IAAI,IAAA,KAAA,CAAM,WAAW,CAAG,EAAA;AACtB,MAAO,OAAA,KAAA,CAAA;AAAA,KACT;AAEA,IAAA,IAAI,UAAU,KAAO,EAAA;AACnB,MAAO,OAAA,IAAA,CAAA;AAAA,KACT;AAEA,IAAI,IAAA,IAAA,CAAK,YAAc,EAAA;AACrB,MAAc,WAAA,GAAA,IAAIA,0BAAe,KAAK,CAAA,CAAA;AACtC,MAAA,MAAM,WAAY,CAAA,YAAA,CAAa,WAAa,EAAA,IAAA,CAAK,YAAY,CAAA,CAAA;AAAA,KACxD,MAAA;AACL,MAAc,WAAA,GAAA,IAAA,CAAK,QAAS,CAAA,GAAA,CAAI,KAAK,CAAA,CAAA;AAAA,KACvC;AAGA,IAAM,MAAA,iBAAA,GAAoB,MAAM,IAAK,CAAA,kBAAA;AAAA,MACnC,KAAA;AAAA,MACA,KAAA;AAAA,MACA,WAAA;AAAA,KACF,CAAA;AACA,IAAA,IAAI,iBAAmB,EAAA;AACrB,MAAO,OAAA,IAAA,CAAA;AAAA,KACT;AAMA,IAAA,MAAM,EAAE,IAAA,EAAS,GAAAC,2BAAA,CAAe,KAAK,CAAA,CAAA;AACrC,IAAI,IAAA,IAAA,CAAK,iBAAkB,EAAA,KAAM,MAAQ,EAAA;AACvC,MAAO,OAAA,KAAA,CAAA;AAAA,KACT;AAEA,IAAA,MAAM,OAAO,IAAIC,qCAAA;AAAA,MACf,KAAA;AAAA,MACA,IAAK,CAAA,UAAA;AAAA,MACL,IAAK,CAAA,eAAA;AAAA,MACL,IAAK,CAAA,IAAA;AAAA,MACL,IAAK,CAAA,QAAA;AAAA,KACP,CAAA;AACA,IAAM,MAAA,IAAA,CAAK,eAAe,IAAI,CAAA,CAAA;AAE9B,IAAK,IAAA,CAAA,kBAAA,CAAmB,IAAK,CAAA,MAAA,EAAQ,KAAK,CAAA,CAAA;AAC1C,IAAI,IAAA,CAAC,IAAK,CAAA,SAAA,EAAa,EAAA;AACrB,MAAM,MAAA,MAAA,GAAS,KAAK,UAAW,EAAA,CAAA;AAE/B,MAAA,IAAA,CAAK,MAAO,CAAA,IAAA;AAAA,QACV,mDAAmD,IAAK,CAAA,SAAA;AAAA,UACtD,MAAA;AAAA,SACD,iGAAiG,IAAK,CAAA,SAAA;AAAA,UACrG,MAAA;AAAA,SACD,CAAA,CAAA;AAAA,OACH,CAAA;AAEA,MAAO,OAAA,KAAA,CAAA;AAAA,KACT;AAEA,IACE,IAAA,IAAA,CAAK,gBAAgB,KAAK,CAAA,KAAM,UAChC,IAAK,CAAA,SAAA,CAAU,WAAa,EAAA,IAAI,CAChC,EAAA;AACA,MAAO,OAAA,IAAA,CAAA;AAAA,KACT;AACA,IAAO,OAAA,IAAA,CAAK,aAAa,KAAK,CAAA,CAAA;AAAA,GAChC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,aAAA,CACE,MACA,EAAA,MAAA,EAAA,GACG,OACM,EAAA;AACT,IAAM,MAAA,IAAI,MAAM,yCAAyC,CAAA,CAAA;AAAA,GAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,QAAS,CAAA,IAAA,EAAA,GAAiB,OAAsC,EAAA;AACpE,IAAA,MAAM,EAAE,IAAA,EAAS,GAAAD,2BAAA,CAAe,IAAI,CAAA,CAAA;AACpC,IAAA,IAAI,SAAS,MAAQ,EAAA;AACnB,MAAA,MAAM,OAAO,IAAIC,qCAAA;AAAA,QACf,IAAA;AAAA,QACA,IAAK,CAAA,UAAA;AAAA,QACL,IAAK,CAAA,eAAA;AAAA,QACL,IAAK,CAAA,IAAA;AAAA,QACL,IAAK,CAAA,QAAA;AAAA,OACP,CAAA;AACA,MAAM,MAAA,IAAA,CAAK,eAAe,IAAI,CAAA,CAAA;AAC9B,MAAK,IAAA,CAAA,kBAAA,CAAmB,IAAK,CAAA,MAAA,EAAQ,IAAI,CAAA,CAAA;AAEzC,MAAI,IAAA,IAAA,CAAK,YAAc,EAAA;AACrB,QAAM,MAAA,WAAA,GAAc,IAAIF,yBAAA,CAAe,IAAI,CAAA,CAAA;AAC3C,QAAA,MAAM,WAAY,CAAA,UAAA;AAAA,UAChB,WAAA;AAAA,UACA,KAAK,QAAS,EAAA;AAAA,UACd,IAAK,CAAA,YAAA;AAAA,SACP,CAAA;AACA,QAAA,OAAO,OAAQ,CAAA,OAAA,CAAQ,WAAY,CAAA,QAAA,EAAU,CAAA,CAAA;AAAA,OAC/C;AAEA,MAAA,MAAM,WAAqB,EAAC,CAAA;AAE5B,MAAA,IAAA,CAAK,QAAQ,IAAI,CAAA,CAAA;AACjB,MAAA,KAAA,MAAW,KAAS,IAAA,IAAA,CAAK,QAAS,CAAA,MAAA,EAAU,EAAA;AAC1C,QAAA,IAAI,IAAK,CAAA,SAAA,CAAU,KAAO,EAAA,IAAI,CAAG,EAAA;AAC/B,UAAS,QAAA,CAAA,IAAA,CAAK,MAAM,IAAI,CAAA,CAAA;AAAA,SAC1B;AAAA,OACF;AAEA,MAAO,OAAA,OAAA,CAAQ,QAAQ,QAAQ,CAAA,CAAA;AAAA,KACjC;AAEA,IAAA,OAAO,EAAC,CAAA;AAAA,GACV;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,QAAS,CAAA,KAAA,EAAA,GAAkB,OAAsC,EAAA;AACrE,IAAM,MAAA,IAAI,MAAM,oCAAoC,CAAA,CAAA;AAAA,GACtD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UAA4B,GAAA;AAAA,GAElC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUQ,gBAAgB,IAA8B,EAAA;AACpD,IAAA,MAAM,IAAO,GAAA,IAAA,CAAK,QAAS,CAAA,GAAA,CAAI,IAAI,CAAA,CAAA;AACnC,IAAA,IAAI,IAAM,EAAA;AACR,MAAO,OAAA,IAAA,CAAA;AAAA,KACT;AACA,IAAM,MAAA,OAAA,GAAU,IAAIA,yBAAA,CAAe,IAAI,CAAA,CAAA;AACvC,IAAK,IAAA,CAAA,QAAA,CAAS,GAAI,CAAA,IAAA,EAAM,OAAO,CAAA,CAAA;AAE/B,IAAO,OAAA,OAAA,CAAA;AAAA,GACT;AAAA;AAAA,EAGQ,gBAAgB,IAAsB,EAAA;AAC5C,IAAM,MAAA,MAAA,GAAS,IAAK,CAAA,KAAA,CAAM,GAAG,CAAA,CAAA;AAC7B,IAAA,OAAO,OAAO,CAAC,CAAA,CAAA;AAAA,GACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,UAAsB,GAAA;AACpB,IAAA,MAAM,MAAS,GAAA,IAAA,CAAK,YAAa,CAAA,MAAA,CAAO,MAAO,CAAA,MAAA,CAAA;AAC/C,IAAA,OAAO,MAAW,KAAA,IAAA,CAAA;AAAA,GACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAc,kBAAA,CACZ,KACA,EAAA,KAAA,EACA,WAC8B,EAAA;AAC9B,IAAM,MAAA,QAAA,GAAW,IAAK,CAAA,eAAA,CAAgB,KAAK,CAAA,CAAA;AAG3C,IAAI,IAAA,IAAA,CAAK,gBAAgB,KAAK,CAAA,KAAM,UAAU,QAAS,CAAA,SAAA,CAAU,KAAK,CAAG,EAAA;AACvE,MAAO,OAAA,IAAA,CAAA;AAAA,KACT;AAGA,IAAA,IAAI,QAAS,CAAA,UAAA,EAAa,CAAA,MAAA,KAAW,CAAG,EAAA;AACtC,MAAK,IAAA,CAAA,QAAA,CAAS,OAAO,KAAK,CAAA,CAAA;AAAA,KAC5B;AAEA,IAAA,IAAI,WAAe,IAAA,WAAA,CAAY,SAAU,CAAA,KAAK,CAAG,EAAA;AAC/C,MAAO,OAAA,IAAA,CAAA;AAAA,KACT;AAEA,IAAO,OAAA,KAAA,CAAA,CAAA;AAAA,GACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASQ,SAAA,CACN,MACA,IACS,EAAA;AACT,IAAA,IAAI,SAAS,KAAW,CAAA,EAAA;AACtB,MAAO,OAAA,KAAA,CAAA;AAAA,KACT;AAEA,IAAW,KAAA,MAAA,MAAA,IAAU,IAAK,CAAA,UAAA,EAAc,EAAA;AACtC,MAAI,IAAA,IAAA,CAAK,YAAa,CAAA,MAAM,CAAG,EAAA;AAC7B,QAAO,OAAA,IAAA,CAAA;AAAA,OACT;AAAA,KACF;AACA,IAAO,OAAA,KAAA,CAAA;AAAA,GACT;AACF;;;;"}
|
|
1
|
+
{"version":3,"file":"role-manager.cjs.js","sources":["../../src/role-manager/role-manager.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport type { CatalogApi } from '@backstage/catalog-client';\nimport { parseEntityRef } from '@backstage/catalog-model';\nimport type { Config } from '@backstage/config';\n\nimport { RoleManager } from 'casbin';\nimport { Knex } from 'knex';\n\nimport { AncestorSearchMemo } from './ancestor-search-memo';\nimport { RoleMemberList } from './member-list';\n\nexport class BackstageRoleManager implements RoleManager {\n private allRoles: Map<string, RoleMemberList>;\n private maxDepth?: number;\n constructor(\n private readonly catalogApi: CatalogApi,\n private readonly logger: LoggerService,\n private readonly catalogDBClient: Knex,\n private readonly rbacDBClient: Knex,\n private readonly config: Config,\n private readonly auth: AuthService,\n ) {\n this.allRoles = new Map<string, RoleMemberList>();\n const rbacConfig = this.config.getOptionalConfig('permission.rbac');\n this.maxDepth = rbacConfig?.getOptionalNumber('maxDepth');\n if (this.maxDepth !== undefined && this.maxDepth! < 0) {\n throw new Error(\n 'Max Depth for RBAC group hierarchy must be greater than or equal to zero',\n );\n }\n }\n\n /**\n * clear clears all stored data and resets the role manager to the initial state.\n */\n async clear(): Promise<void> {\n // do nothing\n }\n\n /**\n * addLink adds the inheritance link between name1 and role: name2.\n * aka name1 inherits role: name2.\n * The link that is established is based on the defined grouping policies that are added by the enforcer.\n *\n * ex. `g, name1, name2`.\n * @param name1 User or group that will be assigned to a role.\n * @param name2 The role that will be created or updated.\n * @param _domain Unimplemented prefix to the role.\n */\n async addLink(\n name1: string,\n name2: string,\n ..._domain: string[]\n ): Promise<void> {\n if (!this.isPGClient()) {\n const role1 = this.getOrCreateRole(name2);\n role1.addMember(name1);\n }\n }\n\n /**\n * deleteLink deletes the inheritance link between name1 and role: name2.\n * aka name1 does not inherit role: name2 any more.\n * The link that is deleted is based on the defined grouping policies that are removed by the enforcer.\n *\n * ex. `g, name1, name2`.\n * @param name1 User or group that will be removed from assignment of a role.\n * @param name2 The role that will be deleted or updated.\n * @param _domain Unimplemented.\n */\n async deleteLink(\n name1: string,\n name2: string,\n ..._domain: string[]\n ): Promise<void> {\n if (!this.isPGClient()) {\n const role1 = this.getOrCreateRole(name2);\n role1.deleteMember(name1);\n\n // Clean up in the event that there are no more members in the role\n if (role1.getMembers().length === 0) {\n this.allRoles.delete(name2);\n }\n }\n }\n\n /**\n * hasLink determines whether name1 inherits role: name2.\n * During this check we build the group hierarchy graph to determine if the particular user is directly or indirectly\n * attached to the role that we are receiving.\n * In the event that there is a postgres database connection, we will attempt to query the roles from the database.\n * Otherwise we will use the cached allRoles to determine if there is a link.\n * @param name1 The user that we are authorizing.\n * @param name2 The name of the role that we are checking against.\n * @param domain Unimplemented.\n * @returns True if the user is directly or indirectly attached to the role.\n */\n async hasLink(\n name1: string,\n name2: string,\n ...domain: string[]\n ): Promise<boolean> {\n let currentRole: RoleMemberList;\n if (domain.length > 0) {\n throw new Error('domain argument is not supported.');\n }\n\n // Name2 can be an empty string in the event that there is not a role associated with the user\n // This happens because of the filtering of the roles reduces the number of roles that we iterate through.\n if (name2.length === 0) {\n return false;\n }\n\n if (name1 === name2) {\n return true;\n }\n\n if (this.isPGClient()) {\n currentRole = new RoleMemberList(name2);\n await currentRole.buildMembers(currentRole, this.rbacDBClient);\n } else {\n currentRole = this.allRoles.get(name2)!;\n }\n\n // Check for direct declaration of user to role\n const directDeclaration = await this.checkForUserToRole(\n name1,\n name2,\n currentRole,\n );\n if (directDeclaration) {\n return true;\n }\n\n // name1 is always user in our case.\n // name2 is user or group.\n // user(name1) couldn't inherit user(name2).\n // We can use this fact for optimization.\n const { kind } = parseEntityRef(name2);\n if (kind.toLocaleLowerCase() === 'user') {\n return false;\n }\n\n const memo = new AncestorSearchMemo(\n name1,\n this.catalogApi,\n this.catalogDBClient,\n this.auth,\n this.maxDepth,\n );\n await memo.buildUserGraph(memo);\n\n memo.debugNodesAndEdges(this.logger, name1);\n if (!memo.isAcyclic()) {\n const cycles = memo.findCycles();\n\n this.logger.warn(\n `Detected cycle dependencies in the Group graph: ${JSON.stringify(\n cycles,\n )}. Admin/(catalog owner) have to fix it to make RBAC permission evaluation correct for groups: ${JSON.stringify(\n cycles,\n )}`,\n );\n\n return false;\n }\n\n if (\n this.parseEntityKind(name2) === 'role' &&\n this.hasMember(currentRole, memo)\n ) {\n return true;\n }\n return memo.hasEntityRef(name2);\n }\n\n /**\n * syncedHasLink determines whether role: name1 inherits role: name2.\n * domain is a prefix to the roles.\n */\n syncedHasLink?(\n _name1: string,\n _name2: string,\n ..._domain: string[]\n ): boolean {\n throw new Error('Method \"syncedHasLink\" not implemented.');\n }\n\n /**\n * getRoles gets the roles that a subject inherits.\n *\n * name - is a string entity reference, for example: user:default/tom, role:default/dev,\n * so format is <kind>:<namespace>/<entity-name>.\n * GetRoles method supports only two kind values: 'user' and 'role'.\n *\n * domain - is a prefix to the roles, unused parameter.\n *\n * If name's kind === 'user' we return all inherited roles from groups and roles directly assigned to the user.\n * if name's kind === 'role' we return empty array, because we don't support role inheritance.\n * Case kind === 'group' - should not happen, because:\n * 1) Method getRoles returns only role entity references, so casbin engine doesn't call this\n * method again to ask about name with kind \"group\".\n * 2) We implemented getRoles method only to use:\n * 'await enforcer.getImplicitPermissionsForUser(userEntityRef)',\n * so name argument can be only with kind 'user' or 'role'.\n *\n * Info: when we call 'await enforcer.getImplicitPermissionsForUser(userEntityRef)',\n * then casbin engine executes 'getRoles' method few times.\n * Firstly casbin asks about roles for 'userEntityRef'.\n * Let's imagine, that 'getRoles' returned two roles for userEntityRef.\n * Then casbin calls 'getRoles' two more times to\n * find parent roles. But we return empty array for each such call,\n * because we don't support role inheritance and we notify casbin about end of the role sub-tree.\n */\n async getRoles(name: string, ..._domain: string[]): Promise<string[]> {\n const { kind } = parseEntityRef(name);\n if (kind === 'user') {\n const memo = new AncestorSearchMemo(\n name,\n this.catalogApi,\n this.catalogDBClient,\n this.auth,\n this.maxDepth,\n );\n await memo.buildUserGraph(memo);\n memo.debugNodesAndEdges(this.logger, name);\n\n if (this.isPGClient()) {\n const currentRole = new RoleMemberList(name);\n await currentRole.buildRoles(\n currentRole,\n memo.getNodes(),\n this.rbacDBClient,\n );\n return Promise.resolve(currentRole.getRoles());\n }\n\n const allRoles: string[] = [];\n // Account for the user not being in the graph\n memo.setNode(name);\n for (const value of this.allRoles.values()) {\n if (this.hasMember(value, memo)) {\n allRoles.push(value.name);\n }\n }\n\n return Promise.resolve(allRoles);\n }\n\n return [];\n }\n\n /**\n * getUsers gets the users that inherits a subject.\n * domain is an unreferenced parameter here, may be used in other implementations.\n */\n async getUsers(_name: string, ..._domain: string[]): Promise<string[]> {\n throw new Error('Method \"getUsers\" not implemented.');\n }\n\n /**\n * printRoles prints all the roles to log.\n */\n async printRoles(): Promise<void> {\n // do nothing\n }\n\n /**\n * getOrCreateRole will get a role if it has already been cached\n * or it will create a new role to be cached.\n * This cache is a simple tree that is used to quickly compare\n * users and groups to roles.\n * @param name The user or group whose cache we will be getting / creating.\n * @returns The cached role as a RoleList.\n */\n private getOrCreateRole(name: string): RoleMemberList {\n const role = this.allRoles.get(name);\n if (role) {\n return role;\n }\n const newRole = new RoleMemberList(name);\n this.allRoles.set(name, newRole);\n\n return newRole;\n }\n\n // parse the entity to find out if it is a user / group / or role\n private parseEntityKind(name: string): string {\n const parsed = name.split(':');\n return parsed[0];\n }\n\n /**\n * isPGClient checks what the current database client is at them time.\n * This is to ensure that we are querying the database in the event of postgres\n * or using in memory cache for better sqlite3.\n * @returns True if the database client is pg.\n */\n isPGClient(): boolean {\n const client = this.rbacDBClient.client.config.client;\n return client === 'pg';\n }\n\n /**\n * checkForUserToRole checks if there exists a direct declaration of a user to a role. Used to exit out of\n * hasLink faster in the event to reduce the time it would take to build the user graph.\n * @param name1 The user that we are checking for.\n * @param name2 The role that we are checking for.\n * @returns True if there is a user that is directly attached to a particular role.\n */\n private async checkForUserToRole(\n name1: string,\n name2: string,\n currentRole: RoleMemberList | undefined,\n ): Promise<boolean | undefined> {\n const tempRole = this.getOrCreateRole(name2);\n\n // Immediately check if the our temporary role has a link with the role that we are comparing it to\n if (this.parseEntityKind(name2) === 'role' && tempRole.hasMember(name1)) {\n return true;\n }\n\n // Clean up the temp role\n if (tempRole.getMembers().length === 0) {\n this.allRoles.delete(name2);\n }\n\n if (currentRole && currentRole.hasMember(name1)) {\n return true;\n }\n\n return undefined;\n }\n\n /**\n * hasMember checks if the members from a particular role is associated with the user\n * that the AncestorSearchMemo graph is built for.\n * @param role The role that we are getting the members from.\n * @param memo The user graph that we are comparing members with.\n * @returns True if a member from the role is also associated with the user.\n */\n private hasMember(\n role: RoleMemberList | undefined,\n memo: AncestorSearchMemo,\n ): boolean {\n if (role === undefined) {\n return false;\n }\n\n for (const member of role.getMembers()) {\n if (memo.hasEntityRef(member)) {\n return true;\n }\n }\n return false;\n }\n}\n"],"names":["RoleMemberList","parseEntityRef","AncestorSearchMemo"],"mappings":";;;;;;AA0BO,MAAM,oBAA4C,CAAA;AAAA,EAGvD,YACmB,UACA,EAAA,MAAA,EACA,eACA,EAAA,YAAA,EACA,QACA,IACjB,EAAA;AANiB,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,eAAA,GAAA,eAAA;AACA,IAAA,IAAA,CAAA,YAAA,GAAA,YAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAEjB,IAAK,IAAA,CAAA,QAAA,uBAAe,GAA4B,EAAA;AAChD,IAAA,MAAM,UAAa,GAAA,IAAA,CAAK,MAAO,CAAA,iBAAA,CAAkB,iBAAiB,CAAA;AAClE,IAAK,IAAA,CAAA,QAAA,GAAW,UAAY,EAAA,iBAAA,CAAkB,UAAU,CAAA;AACxD,IAAA,IAAI,IAAK,CAAA,QAAA,KAAa,KAAa,CAAA,IAAA,IAAA,CAAK,WAAY,CAAG,EAAA;AACrD,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA;AACF;AACF,EAlBQ,QAAA;AAAA,EACA,QAAA;AAAA;AAAA;AAAA;AAAA,EAsBR,MAAM,KAAuB,GAAA;AAAA;AAE7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,OAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,OACY,EAAA;AACf,IAAI,IAAA,CAAC,IAAK,CAAA,UAAA,EAAc,EAAA;AACtB,MAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,eAAA,CAAgB,KAAK,CAAA;AACxC,MAAA,KAAA,CAAM,UAAU,KAAK,CAAA;AAAA;AACvB;AACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,UAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,OACY,EAAA;AACf,IAAI,IAAA,CAAC,IAAK,CAAA,UAAA,EAAc,EAAA;AACtB,MAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,eAAA,CAAgB,KAAK,CAAA;AACxC,MAAA,KAAA,CAAM,aAAa,KAAK,CAAA;AAGxB,MAAA,IAAI,KAAM,CAAA,UAAA,EAAa,CAAA,MAAA,KAAW,CAAG,EAAA;AACnC,QAAK,IAAA,CAAA,QAAA,CAAS,OAAO,KAAK,CAAA;AAAA;AAC5B;AACF;AACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,OAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,MACe,EAAA;AAClB,IAAI,IAAA,WAAA;AACJ,IAAI,IAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACrB,MAAM,MAAA,IAAI,MAAM,mCAAmC,CAAA;AAAA;AAKrD,IAAI,IAAA,KAAA,CAAM,WAAW,CAAG,EAAA;AACtB,MAAO,OAAA,KAAA;AAAA;AAGT,IAAA,IAAI,UAAU,KAAO,EAAA;AACnB,MAAO,OAAA,IAAA;AAAA;AAGT,IAAI,IAAA,IAAA,CAAK,YAAc,EAAA;AACrB,MAAc,WAAA,GAAA,IAAIA,0BAAe,KAAK,CAAA;AACtC,MAAA,MAAM,WAAY,CAAA,YAAA,CAAa,WAAa,EAAA,IAAA,CAAK,YAAY,CAAA;AAAA,KACxD,MAAA;AACL,MAAc,WAAA,GAAA,IAAA,CAAK,QAAS,CAAA,GAAA,CAAI,KAAK,CAAA;AAAA;AAIvC,IAAM,MAAA,iBAAA,GAAoB,MAAM,IAAK,CAAA,kBAAA;AAAA,MACnC,KAAA;AAAA,MACA,KAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,IAAI,iBAAmB,EAAA;AACrB,MAAO,OAAA,IAAA;AAAA;AAOT,IAAA,MAAM,EAAE,IAAA,EAAS,GAAAC,2BAAA,CAAe,KAAK,CAAA;AACrC,IAAI,IAAA,IAAA,CAAK,iBAAkB,EAAA,KAAM,MAAQ,EAAA;AACvC,MAAO,OAAA,KAAA;AAAA;AAGT,IAAA,MAAM,OAAO,IAAIC,qCAAA;AAAA,MACf,KAAA;AAAA,MACA,IAAK,CAAA,UAAA;AAAA,MACL,IAAK,CAAA,eAAA;AAAA,MACL,IAAK,CAAA,IAAA;AAAA,MACL,IAAK,CAAA;AAAA,KACP;AACA,IAAM,MAAA,IAAA,CAAK,eAAe,IAAI,CAAA;AAE9B,IAAK,IAAA,CAAA,kBAAA,CAAmB,IAAK,CAAA,MAAA,EAAQ,KAAK,CAAA;AAC1C,IAAI,IAAA,CAAC,IAAK,CAAA,SAAA,EAAa,EAAA;AACrB,MAAM,MAAA,MAAA,GAAS,KAAK,UAAW,EAAA;AAE/B,MAAA,IAAA,CAAK,MAAO,CAAA,IAAA;AAAA,QACV,mDAAmD,IAAK,CAAA,SAAA;AAAA,UACtD;AAAA,SACD,iGAAiG,IAAK,CAAA,SAAA;AAAA,UACrG;AAAA,SACD,CAAA;AAAA,OACH;AAEA,MAAO,OAAA,KAAA;AAAA;AAGT,IACE,IAAA,IAAA,CAAK,gBAAgB,KAAK,CAAA,KAAM,UAChC,IAAK,CAAA,SAAA,CAAU,WAAa,EAAA,IAAI,CAChC,EAAA;AACA,MAAO,OAAA,IAAA;AAAA;AAET,IAAO,OAAA,IAAA,CAAK,aAAa,KAAK,CAAA;AAAA;AAChC;AAAA;AAAA;AAAA;AAAA,EAMA,aAAA,CACE,MACA,EAAA,MAAA,EAAA,GACG,OACM,EAAA;AACT,IAAM,MAAA,IAAI,MAAM,yCAAyC,CAAA;AAAA;AAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,QAAS,CAAA,IAAA,EAAA,GAAiB,OAAsC,EAAA;AACpE,IAAA,MAAM,EAAE,IAAA,EAAS,GAAAD,2BAAA,CAAe,IAAI,CAAA;AACpC,IAAA,IAAI,SAAS,MAAQ,EAAA;AACnB,MAAA,MAAM,OAAO,IAAIC,qCAAA;AAAA,QACf,IAAA;AAAA,QACA,IAAK,CAAA,UAAA;AAAA,QACL,IAAK,CAAA,eAAA;AAAA,QACL,IAAK,CAAA,IAAA;AAAA,QACL,IAAK,CAAA;AAAA,OACP;AACA,MAAM,MAAA,IAAA,CAAK,eAAe,IAAI,CAAA;AAC9B,MAAK,IAAA,CAAA,kBAAA,CAAmB,IAAK,CAAA,MAAA,EAAQ,IAAI,CAAA;AAEzC,MAAI,IAAA,IAAA,CAAK,YAAc,EAAA;AACrB,QAAM,MAAA,WAAA,GAAc,IAAIF,yBAAA,CAAe,IAAI,CAAA;AAC3C,QAAA,MAAM,WAAY,CAAA,UAAA;AAAA,UAChB,WAAA;AAAA,UACA,KAAK,QAAS,EAAA;AAAA,UACd,IAAK,CAAA;AAAA,SACP;AACA,QAAA,OAAO,OAAQ,CAAA,OAAA,CAAQ,WAAY,CAAA,QAAA,EAAU,CAAA;AAAA;AAG/C,MAAA,MAAM,WAAqB,EAAC;AAE5B,MAAA,IAAA,CAAK,QAAQ,IAAI,CAAA;AACjB,MAAA,KAAA,MAAW,KAAS,IAAA,IAAA,CAAK,QAAS,CAAA,MAAA,EAAU,EAAA;AAC1C,QAAA,IAAI,IAAK,CAAA,SAAA,CAAU,KAAO,EAAA,IAAI,CAAG,EAAA;AAC/B,UAAS,QAAA,CAAA,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA;AAC1B;AAGF,MAAO,OAAA,OAAA,CAAQ,QAAQ,QAAQ,CAAA;AAAA;AAGjC,IAAA,OAAO,EAAC;AAAA;AACV;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,QAAS,CAAA,KAAA,EAAA,GAAkB,OAAsC,EAAA;AACrE,IAAM,MAAA,IAAI,MAAM,oCAAoC,CAAA;AAAA;AACtD;AAAA;AAAA;AAAA,EAKA,MAAM,UAA4B,GAAA;AAAA;AAElC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUQ,gBAAgB,IAA8B,EAAA;AACpD,IAAA,MAAM,IAAO,GAAA,IAAA,CAAK,QAAS,CAAA,GAAA,CAAI,IAAI,CAAA;AACnC,IAAA,IAAI,IAAM,EAAA;AACR,MAAO,OAAA,IAAA;AAAA;AAET,IAAM,MAAA,OAAA,GAAU,IAAIA,yBAAA,CAAe,IAAI,CAAA;AACvC,IAAK,IAAA,CAAA,QAAA,CAAS,GAAI,CAAA,IAAA,EAAM,OAAO,CAAA;AAE/B,IAAO,OAAA,OAAA;AAAA;AACT;AAAA,EAGQ,gBAAgB,IAAsB,EAAA;AAC5C,IAAM,MAAA,MAAA,GAAS,IAAK,CAAA,KAAA,CAAM,GAAG,CAAA;AAC7B,IAAA,OAAO,OAAO,CAAC,CAAA;AAAA;AACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,UAAsB,GAAA;AACpB,IAAA,MAAM,MAAS,GAAA,IAAA,CAAK,YAAa,CAAA,MAAA,CAAO,MAAO,CAAA,MAAA;AAC/C,IAAA,OAAO,MAAW,KAAA,IAAA;AAAA;AACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAc,kBAAA,CACZ,KACA,EAAA,KAAA,EACA,WAC8B,EAAA;AAC9B,IAAM,MAAA,QAAA,GAAW,IAAK,CAAA,eAAA,CAAgB,KAAK,CAAA;AAG3C,IAAI,IAAA,IAAA,CAAK,gBAAgB,KAAK,CAAA,KAAM,UAAU,QAAS,CAAA,SAAA,CAAU,KAAK,CAAG,EAAA;AACvE,MAAO,OAAA,IAAA;AAAA;AAIT,IAAA,IAAI,QAAS,CAAA,UAAA,EAAa,CAAA,MAAA,KAAW,CAAG,EAAA;AACtC,MAAK,IAAA,CAAA,QAAA,CAAS,OAAO,KAAK,CAAA;AAAA;AAG5B,IAAA,IAAI,WAAe,IAAA,WAAA,CAAY,SAAU,CAAA,KAAK,CAAG,EAAA;AAC/C,MAAO,OAAA,IAAA;AAAA;AAGT,IAAO,OAAA,KAAA,CAAA;AAAA;AACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASQ,SAAA,CACN,MACA,IACS,EAAA;AACT,IAAA,IAAI,SAAS,KAAW,CAAA,EAAA;AACtB,MAAO,OAAA,KAAA;AAAA;AAGT,IAAW,KAAA,MAAA,MAAA,IAAU,IAAK,CAAA,UAAA,EAAc,EAAA;AACtC,MAAI,IAAA,IAAA,CAAK,YAAa,CAAA,MAAM,CAAG,EAAA;AAC7B,QAAO,OAAA,IAAA;AAAA;AACT;AAEF,IAAO,OAAA,KAAA;AAAA;AAEX;;;;"}
|
|
@@ -22,29 +22,85 @@ class EnforcerDelegate {
|
|
|
22
22
|
return this;
|
|
23
23
|
}
|
|
24
24
|
async hasPolicy(...policy) {
|
|
25
|
-
|
|
25
|
+
const tempModel = casbin.newModelFromString(permissionModel.MODEL);
|
|
26
|
+
await this.enforcer.getAdapter().loadFilteredPolicy(
|
|
27
|
+
tempModel,
|
|
28
|
+
[
|
|
29
|
+
{
|
|
30
|
+
ptype: "p",
|
|
31
|
+
v0: policy[0],
|
|
32
|
+
v1: policy[1],
|
|
33
|
+
v2: policy[2],
|
|
34
|
+
v3: policy[3]
|
|
35
|
+
}
|
|
36
|
+
]
|
|
37
|
+
);
|
|
38
|
+
return tempModel.hasPolicy("p", "p", policy);
|
|
26
39
|
}
|
|
27
40
|
async hasGroupingPolicy(...policy) {
|
|
28
|
-
|
|
41
|
+
const tempModel = casbin.newModelFromString(permissionModel.MODEL);
|
|
42
|
+
await this.enforcer.getAdapter().loadFilteredPolicy(
|
|
43
|
+
tempModel,
|
|
44
|
+
[
|
|
45
|
+
{
|
|
46
|
+
ptype: "g",
|
|
47
|
+
v0: policy[0],
|
|
48
|
+
v1: policy[1]
|
|
49
|
+
}
|
|
50
|
+
]
|
|
51
|
+
);
|
|
52
|
+
return tempModel.hasPolicy("g", "g", policy);
|
|
29
53
|
}
|
|
30
54
|
async getPolicy() {
|
|
31
|
-
|
|
55
|
+
const tempModel = casbin.newModelFromString(permissionModel.MODEL);
|
|
56
|
+
await this.enforcer.getAdapter().loadFilteredPolicy(
|
|
57
|
+
tempModel,
|
|
58
|
+
[{ ptype: "p" }]
|
|
59
|
+
);
|
|
60
|
+
return await tempModel.getPolicy("p", "p");
|
|
32
61
|
}
|
|
33
62
|
async getGroupingPolicy() {
|
|
34
|
-
|
|
63
|
+
const tempModel = casbin.newModelFromString(permissionModel.MODEL);
|
|
64
|
+
await this.enforcer.getAdapter().loadFilteredPolicy(
|
|
65
|
+
tempModel,
|
|
66
|
+
[{ ptype: "g" }]
|
|
67
|
+
);
|
|
68
|
+
return await tempModel.getPolicy("g", "g");
|
|
35
69
|
}
|
|
36
70
|
async getRolesForUser(userEntityRef) {
|
|
37
71
|
return await this.enforcer.getRolesForUser(userEntityRef);
|
|
38
72
|
}
|
|
39
73
|
async getFilteredPolicy(fieldIndex, ...filter) {
|
|
40
|
-
|
|
74
|
+
const tempModel = casbin.newModelFromString(permissionModel.MODEL);
|
|
75
|
+
const filterArgs = [];
|
|
76
|
+
const filterObj = { ptype: "p" };
|
|
77
|
+
for (let i = 0; i < filter.length; i++) {
|
|
78
|
+
filterObj[`v${i + fieldIndex}`] = filter[i];
|
|
79
|
+
filterArgs.push(filterObj);
|
|
80
|
+
}
|
|
81
|
+
await this.enforcer.getAdapter().loadFilteredPolicy(
|
|
82
|
+
tempModel,
|
|
83
|
+
filterArgs
|
|
84
|
+
);
|
|
85
|
+
return await tempModel.getPolicy("p", "p");
|
|
41
86
|
}
|
|
42
87
|
async getFilteredGroupingPolicy(fieldIndex, ...filter) {
|
|
43
|
-
|
|
88
|
+
const tempModel = casbin.newModelFromString(permissionModel.MODEL);
|
|
89
|
+
const filterArgs = [];
|
|
90
|
+
const filterObj = { ptype: "g" };
|
|
91
|
+
for (let i = 0; i < filter.length; i++) {
|
|
92
|
+
filterObj[`v${i + fieldIndex}`] = filter[i];
|
|
93
|
+
filterArgs.push(filterObj);
|
|
94
|
+
}
|
|
95
|
+
await this.enforcer.getAdapter().loadFilteredPolicy(
|
|
96
|
+
tempModel,
|
|
97
|
+
filterArgs
|
|
98
|
+
);
|
|
99
|
+
return await tempModel.getPolicy("g", "g");
|
|
44
100
|
}
|
|
45
101
|
async addPolicy(policy, externalTrx) {
|
|
46
102
|
const trx = externalTrx ?? await this.knex.transaction();
|
|
47
|
-
if (await this.
|
|
103
|
+
if (await this.hasPolicy(...policy)) {
|
|
48
104
|
return;
|
|
49
105
|
}
|
|
50
106
|
try {
|
|
@@ -87,7 +143,7 @@ class EnforcerDelegate {
|
|
|
87
143
|
async addGroupingPolicy(policy, roleMetadata, externalTrx) {
|
|
88
144
|
const trx = externalTrx ?? await this.knex.transaction();
|
|
89
145
|
const entityRef = roleMetadata.roleEntityRef;
|
|
90
|
-
if (await this.
|
|
146
|
+
if (await this.hasGroupingPolicy(...policy)) {
|
|
91
147
|
return;
|
|
92
148
|
}
|
|
93
149
|
try {
|
|
@@ -244,7 +300,10 @@ class EnforcerDelegate {
|
|
|
244
300
|
}
|
|
245
301
|
if (!isUpdate) {
|
|
246
302
|
const currentRoleMetadata = await this.roleMetadataStorage.findRoleMetadata(roleEntity, trx);
|
|
247
|
-
const remainingGroupPolicies = await this.
|
|
303
|
+
const remainingGroupPolicies = await this.getFilteredGroupingPolicy(
|
|
304
|
+
1,
|
|
305
|
+
roleEntity
|
|
306
|
+
);
|
|
248
307
|
if (currentRoleMetadata && remainingGroupPolicies.length === 0 && roleEntity !== adminCreation.ADMIN_ROLE_NAME) {
|
|
249
308
|
await this.roleMetadataStorage.removeRoleMetadata(roleEntity, trx);
|
|
250
309
|
} else if (currentRoleMetadata) {
|
|
@@ -277,7 +336,10 @@ class EnforcerDelegate {
|
|
|
277
336
|
}
|
|
278
337
|
if (!isUpdate) {
|
|
279
338
|
const currentRoleMetadata = await this.roleMetadataStorage.findRoleMetadata(roleEntity, trx);
|
|
280
|
-
const remainingGroupPolicies = await this.
|
|
339
|
+
const remainingGroupPolicies = await this.getFilteredGroupingPolicy(
|
|
340
|
+
1,
|
|
341
|
+
roleEntity
|
|
342
|
+
);
|
|
281
343
|
if (currentRoleMetadata && remainingGroupPolicies.length === 0 && roleEntity !== adminCreation.ADMIN_ROLE_NAME) {
|
|
282
344
|
await this.roleMetadataStorage.removeRoleMetadata(roleEntity, trx);
|
|
283
345
|
} else if (currentRoleMetadata) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcer-delegate.cjs.js","sources":["../../src/service/enforcer-delegate.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { Enforcer, newModelFromString } from 'casbin';\nimport { Knex } from 'knex';\n\nimport EventEmitter from 'events';\n\nimport { ADMIN_ROLE_NAME } from '../admin-permissions/admin-creation';\nimport {\n RoleMetadataDao,\n RoleMetadataStorage,\n} from '../database/role-metadata';\nimport { mergeRoleMetadata, policiesToString, policyToString } from '../helper';\nimport { MODEL } from './permission-model';\n\nexport type RoleEvents = 'roleAdded';\nexport interface RoleEventEmitter<T extends RoleEvents> {\n on(event: T, listener: (roleEntityRef: string | string[]) => void): this;\n}\n\ntype EventMap = {\n [event in RoleEvents]: any[];\n};\n\nexport class EnforcerDelegate implements RoleEventEmitter<RoleEvents> {\n private readonly roleEventEmitter = new EventEmitter<EventMap>();\n\n constructor(\n private readonly enforcer: Enforcer,\n private readonly roleMetadataStorage: RoleMetadataStorage,\n private readonly knex: Knex,\n ) {}\n\n on(event: RoleEvents, listener: (role: string) => void): this {\n this.roleEventEmitter.on(event, listener);\n return this;\n }\n\n async hasPolicy(...policy: string[]): Promise<boolean> {\n return await this.enforcer.hasPolicy(...policy);\n }\n\n async hasGroupingPolicy(...policy: string[]): Promise<boolean> {\n return await this.enforcer.hasGroupingPolicy(...policy);\n }\n\n async getPolicy(): Promise<string[][]> {\n return await this.enforcer.getPolicy();\n }\n\n async getGroupingPolicy(): Promise<string[][]> {\n return await this.enforcer.getGroupingPolicy();\n }\n\n async getRolesForUser(userEntityRef: string): Promise<string[]> {\n return await this.enforcer.getRolesForUser(userEntityRef);\n }\n\n async getFilteredPolicy(\n fieldIndex: number,\n ...filter: string[]\n ): Promise<string[][]> {\n return await this.enforcer.getFilteredPolicy(fieldIndex, ...filter);\n }\n\n async getFilteredGroupingPolicy(\n fieldIndex: number,\n ...filter: string[]\n ): Promise<string[][]> {\n return await this.enforcer.getFilteredGroupingPolicy(fieldIndex, ...filter);\n }\n\n async addPolicy(\n policy: string[],\n externalTrx?: Knex.Transaction,\n ): Promise<void> {\n const trx = externalTrx ?? (await this.knex.transaction());\n\n if (await this.enforcer.hasPolicy(...policy)) {\n return;\n }\n try {\n const ok = await this.enforcer.addPolicy(...policy);\n if (!ok) {\n throw new Error(`failed to create policy ${policyToString(policy)}`);\n }\n if (!externalTrx) {\n await trx.commit();\n }\n } catch (err) {\n if (!externalTrx) {\n await trx.rollback(err);\n }\n throw err;\n }\n }\n\n async addPolicies(\n policies: string[][],\n externalTrx?: Knex.Transaction,\n ): Promise<void> {\n if (policies.length === 0) {\n return;\n }\n\n const trx = externalTrx || (await this.knex.transaction());\n\n try {\n const ok = await this.enforcer.addPolicies(policies);\n if (!ok) {\n throw new Error(\n `Failed to store policies ${policiesToString(policies)}`,\n );\n }\n if (!externalTrx) {\n await trx.commit();\n }\n } catch (err) {\n if (!externalTrx) {\n await trx.rollback(err);\n }\n throw err;\n }\n }\n\n async addGroupingPolicy(\n policy: string[],\n roleMetadata: RoleMetadataDao,\n externalTrx?: Knex.Transaction,\n ): Promise<void> {\n const trx = externalTrx ?? (await this.knex.transaction());\n const entityRef = roleMetadata.roleEntityRef;\n\n if (await this.enforcer.hasGroupingPolicy(...policy)) {\n return;\n }\n try {\n let currentMetadata;\n if (entityRef.startsWith(`role:`)) {\n currentMetadata = await this.roleMetadataStorage.findRoleMetadata(\n entityRef,\n trx,\n );\n }\n\n if (currentMetadata) {\n await this.roleMetadataStorage.updateRoleMetadata(\n mergeRoleMetadata(currentMetadata, roleMetadata),\n entityRef,\n trx,\n );\n } else {\n const currentDate: Date = new Date();\n roleMetadata.createdAt = currentDate.toUTCString();\n roleMetadata.lastModified = currentDate.toUTCString();\n await this.roleMetadataStorage.createRoleMetadata(roleMetadata, trx);\n }\n\n const ok = await this.enforcer.addGroupingPolicy(...policy);\n if (!ok) {\n throw new Error(`failed to create policy ${policyToString(policy)}`);\n }\n if (!externalTrx) {\n await trx.commit();\n }\n if (!currentMetadata) {\n this.roleEventEmitter.emit('roleAdded', roleMetadata.roleEntityRef);\n }\n } catch (err) {\n if (!externalTrx) {\n await trx.rollback(err);\n }\n throw err;\n }\n }\n\n async addGroupingPolicies(\n policies: string[][],\n roleMetadata: RoleMetadataDao,\n externalTrx?: Knex.Transaction,\n ): Promise<void> {\n if (policies.length === 0) {\n return;\n }\n\n const trx = externalTrx ?? (await this.knex.transaction());\n\n try {\n const currentRoleMetadata =\n await this.roleMetadataStorage.findRoleMetadata(\n roleMetadata.roleEntityRef,\n trx,\n );\n if (currentRoleMetadata) {\n await this.roleMetadataStorage.updateRoleMetadata(\n mergeRoleMetadata(currentRoleMetadata, roleMetadata),\n roleMetadata.roleEntityRef,\n trx,\n );\n } else {\n const currentDate: Date = new Date();\n roleMetadata.createdAt = currentDate.toUTCString();\n roleMetadata.lastModified = currentDate.toUTCString();\n await this.roleMetadataStorage.createRoleMetadata(roleMetadata, trx);\n }\n\n const ok = await this.enforcer.addGroupingPolicies(policies);\n if (!ok) {\n throw new Error(\n `Failed to store policies ${policiesToString(policies)}`,\n );\n }\n\n if (!externalTrx) {\n await trx.commit();\n }\n if (!currentRoleMetadata) {\n this.roleEventEmitter.emit('roleAdded', roleMetadata.roleEntityRef);\n }\n } catch (err) {\n if (!externalTrx) {\n await trx.rollback(err);\n }\n throw err;\n }\n }\n\n async updateGroupingPolicies(\n oldRole: string[][],\n newRole: string[][],\n newRoleMetadata: RoleMetadataDao,\n ): Promise<void> {\n const oldRoleName = oldRole.at(0)?.at(1)!;\n\n const trx = await this.knex.transaction();\n try {\n const currentMetadata = await this.roleMetadataStorage.findRoleMetadata(\n oldRoleName,\n trx,\n );\n if (!currentMetadata) {\n throw new Error(`Role metadata ${oldRoleName} was not found`);\n }\n\n await this.removeGroupingPolicies(oldRole, currentMetadata, true, trx);\n await this.addGroupingPolicies(newRole, newRoleMetadata, trx);\n await trx.commit();\n } catch (err) {\n await trx.rollback(err);\n throw err;\n }\n }\n\n async updatePolicies(\n oldPolicies: string[][],\n newPolicies: string[][],\n ): Promise<void> {\n const trx = await this.knex.transaction();\n\n try {\n await this.removePolicies(oldPolicies, trx);\n await this.addPolicies(newPolicies, trx);\n await trx.commit();\n } catch (err) {\n await trx.rollback(err);\n throw err;\n }\n }\n\n async removePolicy(policy: string[], externalTrx?: Knex.Transaction) {\n const trx = externalTrx ?? (await this.knex.transaction());\n\n try {\n const ok = await this.enforcer.removePolicy(...policy);\n if (!ok) {\n throw new Error(`fail to delete policy ${policy}`);\n }\n if (!externalTrx) {\n await trx.commit();\n }\n } catch (err) {\n if (!externalTrx) {\n await trx.rollback(err);\n }\n throw err;\n }\n }\n\n async removePolicies(\n policies: string[][],\n externalTrx?: Knex.Transaction,\n ): Promise<void> {\n const trx = externalTrx ?? (await this.knex.transaction());\n\n try {\n const ok = await this.enforcer.removePolicies(policies);\n if (!ok) {\n throw new Error(\n `Failed to delete policies ${policiesToString(policies)}`,\n );\n }\n\n if (!externalTrx) {\n await trx.commit();\n }\n } catch (err) {\n if (!externalTrx) {\n await trx.rollback(err);\n }\n throw err;\n }\n }\n\n async removeGroupingPolicy(\n policy: string[],\n roleMetadata: RoleMetadataDao,\n isUpdate?: boolean,\n externalTrx?: Knex.Transaction,\n ): Promise<void> {\n const trx = externalTrx ?? (await this.knex.transaction());\n const roleEntity = policy[1];\n\n try {\n const ok = await this.enforcer.removeGroupingPolicy(...policy);\n if (!ok) {\n throw new Error(`Failed to delete policy ${policyToString(policy)}`);\n }\n\n if (!isUpdate) {\n const currentRoleMetadata =\n await this.roleMetadataStorage.findRoleMetadata(roleEntity, trx);\n const remainingGroupPolicies =\n await this.enforcer.getFilteredGroupingPolicy(1, roleEntity);\n if (\n currentRoleMetadata &&\n remainingGroupPolicies.length === 0 &&\n roleEntity !== ADMIN_ROLE_NAME\n ) {\n await this.roleMetadataStorage.removeRoleMetadata(roleEntity, trx);\n } else if (currentRoleMetadata) {\n await this.roleMetadataStorage.updateRoleMetadata(\n mergeRoleMetadata(currentRoleMetadata, roleMetadata),\n roleEntity,\n trx,\n );\n }\n }\n\n if (!externalTrx) {\n await trx.commit();\n }\n } catch (err) {\n if (!externalTrx) {\n await trx.rollback(err);\n }\n throw err;\n }\n }\n\n async removeGroupingPolicies(\n policies: string[][],\n roleMetadata: RoleMetadataDao,\n isUpdate?: boolean,\n externalTrx?: Knex.Transaction,\n ): Promise<void> {\n const trx = externalTrx ?? (await this.knex.transaction());\n\n const roleEntity = roleMetadata.roleEntityRef;\n try {\n const ok = await this.enforcer.removeGroupingPolicies(policies);\n if (!ok) {\n throw new Error(\n `Failed to delete grouping policies: ${policiesToString(policies)}`,\n );\n }\n\n if (!isUpdate) {\n const currentRoleMetadata =\n await this.roleMetadataStorage.findRoleMetadata(roleEntity, trx);\n const remainingGroupPolicies =\n await this.enforcer.getFilteredGroupingPolicy(1, roleEntity);\n if (\n currentRoleMetadata &&\n remainingGroupPolicies.length === 0 &&\n roleEntity !== ADMIN_ROLE_NAME\n ) {\n await this.roleMetadataStorage.removeRoleMetadata(roleEntity, trx);\n } else if (currentRoleMetadata) {\n await this.roleMetadataStorage.updateRoleMetadata(\n mergeRoleMetadata(currentRoleMetadata, roleMetadata),\n roleEntity,\n trx,\n );\n }\n }\n\n if (!externalTrx) {\n await trx.commit();\n }\n } catch (err) {\n if (!externalTrx) {\n await trx.rollback(err);\n }\n throw err;\n }\n }\n\n /**\n * enforce aims to enforce a particular permission policy based on the user that it receives.\n * Under the hood, enforce uses the `enforce` method from the enforcer`.\n *\n * Before enforcement, a filter is set up to reduce the number of permission policies that will\n * be loaded in.\n * This will reduce the amount of checks that need to be made to determine if a user is authorize\n * to perform an action\n *\n * A temporary enforcer will also be used while enforcing.\n * This is to ensure that the filter does not interact with the base enforcer.\n * The temporary enforcer has lazy loading of the permission policies enabled to reduce the amount\n * of time it takes to initialize the temporary enforcer.\n * The justification for lazy loading is because permission policies are already present in the\n * role manager / database and it will be filtered and loaded whenever `loadFilteredPolicy` is called.\n * @param entityRef The user to enforce\n * @param resourceType The resource type / name of the permission policy\n * @param action The action of the permission policy\n * @param roles Any roles that the user is directly or indirectly attached to.\n * Used for filtering permission policies.\n * @returns True if the user is allowed based on the particular permission\n */\n async enforce(\n entityRef: string,\n resourceType: string,\n action: string,\n roles: string[],\n ): Promise<boolean> {\n const filter = [];\n if (roles.length > 0) {\n roles.forEach(role => {\n filter.push({ ptype: 'p', v0: role, v1: resourceType, v2: action });\n });\n } else {\n filter.push({ ptype: 'p', v1: resourceType, v2: action });\n }\n\n const adapt = this.enforcer.getAdapter();\n const roleManager = this.enforcer.getRoleManager();\n const tempEnforcer = new Enforcer();\n await tempEnforcer.initWithModelAndAdapter(\n newModelFromString(MODEL),\n adapt,\n true,\n );\n tempEnforcer.setRoleManager(roleManager);\n\n await tempEnforcer.loadFilteredPolicy(filter);\n\n return await tempEnforcer.enforce(entityRef, resourceType, action);\n }\n\n async getImplicitPermissionsForUser(user: string): Promise<string[][]> {\n return this.enforcer.getImplicitPermissionsForUser(user);\n }\n\n async getAllRoles(): Promise<string[]> {\n return this.enforcer.getAllRoles();\n }\n}\n"],"names":["EventEmitter","policyToString","policiesToString","mergeRoleMetadata","ADMIN_ROLE_NAME","Enforcer","newModelFromString","MODEL"],"mappings":";;;;;;;;;;;;AAqCO,MAAM,gBAAyD,CAAA;AAAA,EAGpE,WAAA,CACmB,QACA,EAAA,mBAAA,EACA,IACjB,EAAA;AAHiB,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA,CAAA;AACA,IAAA,IAAA,CAAA,mBAAA,GAAA,mBAAA,CAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA,CAAA;AAAA,GAChB;AAAA,EANc,gBAAA,GAAmB,IAAIA,6BAAuB,EAAA,CAAA;AAAA,EAQ/D,EAAA,CAAG,OAAmB,QAAwC,EAAA;AAC5D,IAAK,IAAA,CAAA,gBAAA,CAAiB,EAAG,CAAA,KAAA,EAAO,QAAQ,CAAA,CAAA;AACxC,IAAO,OAAA,IAAA,CAAA;AAAA,GACT;AAAA,EAEA,MAAM,aAAa,MAAoC,EAAA;AACrD,IAAA,OAAO,MAAM,IAAA,CAAK,QAAS,CAAA,SAAA,CAAU,GAAG,MAAM,CAAA,CAAA;AAAA,GAChD;AAAA,EAEA,MAAM,qBAAqB,MAAoC,EAAA;AAC7D,IAAA,OAAO,MAAM,IAAA,CAAK,QAAS,CAAA,iBAAA,CAAkB,GAAG,MAAM,CAAA,CAAA;AAAA,GACxD;AAAA,EAEA,MAAM,SAAiC,GAAA;AACrC,IAAO,OAAA,MAAM,IAAK,CAAA,QAAA,CAAS,SAAU,EAAA,CAAA;AAAA,GACvC;AAAA,EAEA,MAAM,iBAAyC,GAAA;AAC7C,IAAO,OAAA,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,EAAA,CAAA;AAAA,GAC/C;AAAA,EAEA,MAAM,gBAAgB,aAA0C,EAAA;AAC9D,IAAA,OAAO,MAAM,IAAA,CAAK,QAAS,CAAA,eAAA,CAAgB,aAAa,CAAA,CAAA;AAAA,GAC1D;AAAA,EAEA,MAAM,iBACJ,CAAA,UAAA,EAAA,GACG,MACkB,EAAA;AACrB,IAAA,OAAO,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,CAAA,UAAA,EAAY,GAAG,MAAM,CAAA,CAAA;AAAA,GACpE;AAAA,EAEA,MAAM,yBACJ,CAAA,UAAA,EAAA,GACG,MACkB,EAAA;AACrB,IAAA,OAAO,MAAM,IAAK,CAAA,QAAA,CAAS,yBAA0B,CAAA,UAAA,EAAY,GAAG,MAAM,CAAA,CAAA;AAAA,GAC5E;AAAA,EAEA,MAAM,SACJ,CAAA,MAAA,EACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA,CAAA;AAExD,IAAA,IAAI,MAAM,IAAK,CAAA,QAAA,CAAS,SAAU,CAAA,GAAG,MAAM,CAAG,EAAA;AAC5C,MAAA,OAAA;AAAA,KACF;AACA,IAAI,IAAA;AACF,MAAA,MAAM,KAAK,MAAM,IAAA,CAAK,QAAS,CAAA,SAAA,CAAU,GAAG,MAAM,CAAA,CAAA;AAClD,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAM,CAAA,CAAA,wBAAA,EAA2BC,qBAAe,CAAA,MAAM,CAAC,CAAE,CAAA,CAAA,CAAA;AAAA,OACrE;AACA,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,OACnB;AAAA,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AAAA,OACxB;AACA,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,WACJ,CAAA,QAAA,EACA,WACe,EAAA;AACf,IAAI,IAAA,QAAA,CAAS,WAAW,CAAG,EAAA;AACzB,MAAA,OAAA;AAAA,KACF;AAEA,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA,CAAA;AAExD,IAAI,IAAA;AACF,MAAA,MAAM,EAAK,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,YAAY,QAAQ,CAAA,CAAA;AACnD,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,yBAAA,EAA4BC,uBAAiB,CAAA,QAAQ,CAAC,CAAA,CAAA;AAAA,SACxD,CAAA;AAAA,OACF;AACA,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,OACnB;AAAA,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AAAA,OACxB;AACA,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,iBAAA,CACJ,MACA,EAAA,YAAA,EACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA,CAAA;AACxD,IAAA,MAAM,YAAY,YAAa,CAAA,aAAA,CAAA;AAE/B,IAAA,IAAI,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,CAAA,GAAG,MAAM,CAAG,EAAA;AACpD,MAAA,OAAA;AAAA,KACF;AACA,IAAI,IAAA;AACF,MAAI,IAAA,eAAA,CAAA;AACJ,MAAI,IAAA,SAAA,CAAU,UAAW,CAAA,CAAA,KAAA,CAAO,CAAG,EAAA;AACjC,QAAkB,eAAA,GAAA,MAAM,KAAK,mBAAoB,CAAA,gBAAA;AAAA,UAC/C,SAAA;AAAA,UACA,GAAA;AAAA,SACF,CAAA;AAAA,OACF;AAEA,MAAA,IAAI,eAAiB,EAAA;AACnB,QAAA,MAAM,KAAK,mBAAoB,CAAA,kBAAA;AAAA,UAC7BC,wBAAA,CAAkB,iBAAiB,YAAY,CAAA;AAAA,UAC/C,SAAA;AAAA,UACA,GAAA;AAAA,SACF,CAAA;AAAA,OACK,MAAA;AACL,QAAM,MAAA,WAAA,uBAAwB,IAAK,EAAA,CAAA;AACnC,QAAa,YAAA,CAAA,SAAA,GAAY,YAAY,WAAY,EAAA,CAAA;AACjD,QAAa,YAAA,CAAA,YAAA,GAAe,YAAY,WAAY,EAAA,CAAA;AACpD,QAAA,MAAM,IAAK,CAAA,mBAAA,CAAoB,kBAAmB,CAAA,YAAA,EAAc,GAAG,CAAA,CAAA;AAAA,OACrE;AAEA,MAAA,MAAM,KAAK,MAAM,IAAA,CAAK,QAAS,CAAA,iBAAA,CAAkB,GAAG,MAAM,CAAA,CAAA;AAC1D,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAM,CAAA,CAAA,wBAAA,EAA2BF,qBAAe,CAAA,MAAM,CAAC,CAAE,CAAA,CAAA,CAAA;AAAA,OACrE;AACA,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,OACnB;AACA,MAAA,IAAI,CAAC,eAAiB,EAAA;AACpB,QAAA,IAAA,CAAK,gBAAiB,CAAA,IAAA,CAAK,WAAa,EAAA,YAAA,CAAa,aAAa,CAAA,CAAA;AAAA,OACpE;AAAA,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AAAA,OACxB;AACA,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,mBAAA,CACJ,QACA,EAAA,YAAA,EACA,WACe,EAAA;AACf,IAAI,IAAA,QAAA,CAAS,WAAW,CAAG,EAAA;AACzB,MAAA,OAAA;AAAA,KACF;AAEA,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA,CAAA;AAExD,IAAI,IAAA;AACF,MAAM,MAAA,mBAAA,GACJ,MAAM,IAAA,CAAK,mBAAoB,CAAA,gBAAA;AAAA,QAC7B,YAAa,CAAA,aAAA;AAAA,QACb,GAAA;AAAA,OACF,CAAA;AACF,MAAA,IAAI,mBAAqB,EAAA;AACvB,QAAA,MAAM,KAAK,mBAAoB,CAAA,kBAAA;AAAA,UAC7BE,wBAAA,CAAkB,qBAAqB,YAAY,CAAA;AAAA,UACnD,YAAa,CAAA,aAAA;AAAA,UACb,GAAA;AAAA,SACF,CAAA;AAAA,OACK,MAAA;AACL,QAAM,MAAA,WAAA,uBAAwB,IAAK,EAAA,CAAA;AACnC,QAAa,YAAA,CAAA,SAAA,GAAY,YAAY,WAAY,EAAA,CAAA;AACjD,QAAa,YAAA,CAAA,YAAA,GAAe,YAAY,WAAY,EAAA,CAAA;AACpD,QAAA,MAAM,IAAK,CAAA,mBAAA,CAAoB,kBAAmB,CAAA,YAAA,EAAc,GAAG,CAAA,CAAA;AAAA,OACrE;AAEA,MAAA,MAAM,EAAK,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,oBAAoB,QAAQ,CAAA,CAAA;AAC3D,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,yBAAA,EAA4BD,uBAAiB,CAAA,QAAQ,CAAC,CAAA,CAAA;AAAA,SACxD,CAAA;AAAA,OACF;AAEA,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,OACnB;AACA,MAAA,IAAI,CAAC,mBAAqB,EAAA;AACxB,QAAA,IAAA,CAAK,gBAAiB,CAAA,IAAA,CAAK,WAAa,EAAA,YAAA,CAAa,aAAa,CAAA,CAAA;AAAA,OACpE;AAAA,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AAAA,OACxB;AACA,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,sBAAA,CACJ,OACA,EAAA,OAAA,EACA,eACe,EAAA;AACf,IAAA,MAAM,cAAc,OAAQ,CAAA,EAAA,CAAG,CAAC,CAAA,EAAG,GAAG,CAAC,CAAA,CAAA;AAEvC,IAAA,MAAM,GAAM,GAAA,MAAM,IAAK,CAAA,IAAA,CAAK,WAAY,EAAA,CAAA;AACxC,IAAI,IAAA;AACF,MAAM,MAAA,eAAA,GAAkB,MAAM,IAAA,CAAK,mBAAoB,CAAA,gBAAA;AAAA,QACrD,WAAA;AAAA,QACA,GAAA;AAAA,OACF,CAAA;AACA,MAAA,IAAI,CAAC,eAAiB,EAAA;AACpB,QAAA,MAAM,IAAI,KAAA,CAAM,CAAiB,cAAA,EAAA,WAAW,CAAgB,cAAA,CAAA,CAAA,CAAA;AAAA,OAC9D;AAEA,MAAA,MAAM,IAAK,CAAA,sBAAA,CAAuB,OAAS,EAAA,eAAA,EAAiB,MAAM,GAAG,CAAA,CAAA;AACrE,MAAA,MAAM,IAAK,CAAA,mBAAA,CAAoB,OAAS,EAAA,eAAA,EAAiB,GAAG,CAAA,CAAA;AAC5D,MAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,aACV,GAAK,EAAA;AACZ,MAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AACtB,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,cACJ,CAAA,WAAA,EACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,MAAM,IAAK,CAAA,IAAA,CAAK,WAAY,EAAA,CAAA;AAExC,IAAI,IAAA;AACF,MAAM,MAAA,IAAA,CAAK,cAAe,CAAA,WAAA,EAAa,GAAG,CAAA,CAAA;AAC1C,MAAM,MAAA,IAAA,CAAK,WAAY,CAAA,WAAA,EAAa,GAAG,CAAA,CAAA;AACvC,MAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,aACV,GAAK,EAAA;AACZ,MAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AACtB,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,YAAa,CAAA,MAAA,EAAkB,WAAgC,EAAA;AACnE,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA,CAAA;AAExD,IAAI,IAAA;AACF,MAAA,MAAM,KAAK,MAAM,IAAA,CAAK,QAAS,CAAA,YAAA,CAAa,GAAG,MAAM,CAAA,CAAA;AACrD,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAA,CAAM,CAAyB,sBAAA,EAAA,MAAM,CAAE,CAAA,CAAA,CAAA;AAAA,OACnD;AACA,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,OACnB;AAAA,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AAAA,OACxB;AACA,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,cACJ,CAAA,QAAA,EACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA,CAAA;AAExD,IAAI,IAAA;AACF,MAAA,MAAM,EAAK,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,eAAe,QAAQ,CAAA,CAAA;AACtD,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,0BAAA,EAA6BA,uBAAiB,CAAA,QAAQ,CAAC,CAAA,CAAA;AAAA,SACzD,CAAA;AAAA,OACF;AAEA,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,OACnB;AAAA,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AAAA,OACxB;AACA,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,oBAAA,CACJ,MACA,EAAA,YAAA,EACA,UACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA,CAAA;AACxD,IAAM,MAAA,UAAA,GAAa,OAAO,CAAC,CAAA,CAAA;AAE3B,IAAI,IAAA;AACF,MAAA,MAAM,KAAK,MAAM,IAAA,CAAK,QAAS,CAAA,oBAAA,CAAqB,GAAG,MAAM,CAAA,CAAA;AAC7D,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAM,CAAA,CAAA,wBAAA,EAA2BD,qBAAe,CAAA,MAAM,CAAC,CAAE,CAAA,CAAA,CAAA;AAAA,OACrE;AAEA,MAAA,IAAI,CAAC,QAAU,EAAA;AACb,QAAA,MAAM,sBACJ,MAAM,IAAA,CAAK,mBAAoB,CAAA,gBAAA,CAAiB,YAAY,GAAG,CAAA,CAAA;AACjE,QAAA,MAAM,yBACJ,MAAM,IAAA,CAAK,QAAS,CAAA,yBAAA,CAA0B,GAAG,UAAU,CAAA,CAAA;AAC7D,QAAA,IACE,mBACA,IAAA,sBAAA,CAAuB,MAAW,KAAA,CAAA,IAClC,eAAeG,6BACf,EAAA;AACA,UAAA,MAAM,IAAK,CAAA,mBAAA,CAAoB,kBAAmB,CAAA,UAAA,EAAY,GAAG,CAAA,CAAA;AAAA,mBACxD,mBAAqB,EAAA;AAC9B,UAAA,MAAM,KAAK,mBAAoB,CAAA,kBAAA;AAAA,YAC7BD,wBAAA,CAAkB,qBAAqB,YAAY,CAAA;AAAA,YACnD,UAAA;AAAA,YACA,GAAA;AAAA,WACF,CAAA;AAAA,SACF;AAAA,OACF;AAEA,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,OACnB;AAAA,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AAAA,OACxB;AACA,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,sBAAA,CACJ,QACA,EAAA,YAAA,EACA,UACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA,CAAA;AAExD,IAAA,MAAM,aAAa,YAAa,CAAA,aAAA,CAAA;AAChC,IAAI,IAAA;AACF,MAAA,MAAM,EAAK,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,uBAAuB,QAAQ,CAAA,CAAA;AAC9D,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,oCAAA,EAAuCD,uBAAiB,CAAA,QAAQ,CAAC,CAAA,CAAA;AAAA,SACnE,CAAA;AAAA,OACF;AAEA,MAAA,IAAI,CAAC,QAAU,EAAA;AACb,QAAA,MAAM,sBACJ,MAAM,IAAA,CAAK,mBAAoB,CAAA,gBAAA,CAAiB,YAAY,GAAG,CAAA,CAAA;AACjE,QAAA,MAAM,yBACJ,MAAM,IAAA,CAAK,QAAS,CAAA,yBAAA,CAA0B,GAAG,UAAU,CAAA,CAAA;AAC7D,QAAA,IACE,mBACA,IAAA,sBAAA,CAAuB,MAAW,KAAA,CAAA,IAClC,eAAeE,6BACf,EAAA;AACA,UAAA,MAAM,IAAK,CAAA,mBAAA,CAAoB,kBAAmB,CAAA,UAAA,EAAY,GAAG,CAAA,CAAA;AAAA,mBACxD,mBAAqB,EAAA;AAC9B,UAAA,MAAM,KAAK,mBAAoB,CAAA,kBAAA;AAAA,YAC7BD,wBAAA,CAAkB,qBAAqB,YAAY,CAAA;AAAA,YACnD,UAAA;AAAA,YACA,GAAA;AAAA,WACF,CAAA;AAAA,SACF;AAAA,OACF;AAEA,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,OACnB;AAAA,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AAAA,OACxB;AACA,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwBA,MAAM,OAAA,CACJ,SACA,EAAA,YAAA,EACA,QACA,KACkB,EAAA;AAClB,IAAA,MAAM,SAAS,EAAC,CAAA;AAChB,IAAI,IAAA,KAAA,CAAM,SAAS,CAAG,EAAA;AACpB,MAAA,KAAA,CAAM,QAAQ,CAAQ,IAAA,KAAA;AACpB,QAAO,MAAA,CAAA,IAAA,CAAK,EAAE,KAAA,EAAO,GAAK,EAAA,EAAA,EAAI,MAAM,EAAI,EAAA,YAAA,EAAc,EAAI,EAAA,MAAA,EAAQ,CAAA,CAAA;AAAA,OACnE,CAAA,CAAA;AAAA,KACI,MAAA;AACL,MAAO,MAAA,CAAA,IAAA,CAAK,EAAE,KAAO,EAAA,GAAA,EAAK,IAAI,YAAc,EAAA,EAAA,EAAI,QAAQ,CAAA,CAAA;AAAA,KAC1D;AAEA,IAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,QAAA,CAAS,UAAW,EAAA,CAAA;AACvC,IAAM,MAAA,WAAA,GAAc,IAAK,CAAA,QAAA,CAAS,cAAe,EAAA,CAAA;AACjD,IAAM,MAAA,YAAA,GAAe,IAAIE,eAAS,EAAA,CAAA;AAClC,IAAA,MAAM,YAAa,CAAA,uBAAA;AAAA,MACjBC,0BAAmBC,qBAAK,CAAA;AAAA,MACxB,KAAA;AAAA,MACA,IAAA;AAAA,KACF,CAAA;AACA,IAAA,YAAA,CAAa,eAAe,WAAW,CAAA,CAAA;AAEvC,IAAM,MAAA,YAAA,CAAa,mBAAmB,MAAM,CAAA,CAAA;AAE5C,IAAA,OAAO,MAAM,YAAA,CAAa,OAAQ,CAAA,SAAA,EAAW,cAAc,MAAM,CAAA,CAAA;AAAA,GACnE;AAAA,EAEA,MAAM,8BAA8B,IAAmC,EAAA;AACrE,IAAO,OAAA,IAAA,CAAK,QAAS,CAAA,6BAAA,CAA8B,IAAI,CAAA,CAAA;AAAA,GACzD;AAAA,EAEA,MAAM,WAAiC,GAAA;AACrC,IAAO,OAAA,IAAA,CAAK,SAAS,WAAY,EAAA,CAAA;AAAA,GACnC;AACF;;;;"}
|
|
1
|
+
{"version":3,"file":"enforcer-delegate.cjs.js","sources":["../../src/service/enforcer-delegate.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { Enforcer, FilteredAdapter, newModelFromString } from 'casbin';\nimport { Knex } from 'knex';\n\nimport EventEmitter from 'events';\n\nimport { ADMIN_ROLE_NAME } from '../admin-permissions/admin-creation';\nimport {\n RoleMetadataDao,\n RoleMetadataStorage,\n} from '../database/role-metadata';\nimport { mergeRoleMetadata, policiesToString, policyToString } from '../helper';\nimport { MODEL } from './permission-model';\n\nexport type RoleEvents = 'roleAdded';\nexport interface RoleEventEmitter<T extends RoleEvents> {\n on(event: T, listener: (roleEntityRef: string | string[]) => void): this;\n}\n\ntype EventMap = {\n [event in RoleEvents]: any[];\n};\n\nexport class EnforcerDelegate implements RoleEventEmitter<RoleEvents> {\n private readonly roleEventEmitter = new EventEmitter<EventMap>();\n\n constructor(\n private readonly enforcer: Enforcer,\n private readonly roleMetadataStorage: RoleMetadataStorage,\n private readonly knex: Knex,\n ) {}\n\n on(event: RoleEvents, listener: (role: string) => void): this {\n this.roleEventEmitter.on(event, listener);\n return this;\n }\n\n async hasPolicy(...policy: string[]): Promise<boolean> {\n const tempModel = newModelFromString(MODEL);\n await (this.enforcer.getAdapter() as FilteredAdapter).loadFilteredPolicy(\n tempModel,\n [\n {\n ptype: 'p',\n v0: policy[0],\n v1: policy[1],\n v2: policy[2],\n v3: policy[3],\n },\n ],\n );\n return tempModel.hasPolicy('p', 'p', policy);\n }\n\n async hasGroupingPolicy(...policy: string[]): Promise<boolean> {\n const tempModel = newModelFromString(MODEL);\n await (this.enforcer.getAdapter() as FilteredAdapter).loadFilteredPolicy(\n tempModel,\n [\n {\n ptype: 'g',\n v0: policy[0],\n v1: policy[1],\n },\n ],\n );\n return tempModel.hasPolicy('g', 'g', policy);\n }\n\n async getPolicy(): Promise<string[][]> {\n const tempModel = newModelFromString(MODEL);\n await (this.enforcer.getAdapter() as FilteredAdapter).loadFilteredPolicy(\n tempModel,\n [{ ptype: 'p' }],\n );\n return await tempModel.getPolicy('p', 'p');\n }\n\n async getGroupingPolicy(): Promise<string[][]> {\n const tempModel = newModelFromString(MODEL);\n await (this.enforcer.getAdapter() as FilteredAdapter).loadFilteredPolicy(\n tempModel,\n [{ ptype: 'g' }],\n );\n return await tempModel.getPolicy('g', 'g');\n }\n\n async getRolesForUser(userEntityRef: string): Promise<string[]> {\n return await this.enforcer.getRolesForUser(userEntityRef);\n }\n\n async getFilteredPolicy(\n fieldIndex: number,\n ...filter: string[]\n ): Promise<string[][]> {\n const tempModel = newModelFromString(MODEL);\n\n const filterArgs: Record<string, string>[] = [];\n const filterObj: Record<string, string> = { ptype: 'p' };\n for (let i = 0; i < filter.length; i++) {\n filterObj[`v${i + fieldIndex}`] = filter[i];\n filterArgs.push(filterObj);\n }\n\n await (this.enforcer.getAdapter() as FilteredAdapter).loadFilteredPolicy(\n tempModel,\n filterArgs,\n );\n\n return await tempModel.getPolicy('p', 'p');\n }\n\n async getFilteredGroupingPolicy(\n fieldIndex: number,\n ...filter: string[]\n ): Promise<string[][]> {\n const tempModel = newModelFromString(MODEL);\n\n const filterArgs: Record<string, string>[] = [];\n const filterObj: Record<string, string> = { ptype: 'g' };\n for (let i = 0; i < filter.length; i++) {\n filterObj[`v${i + fieldIndex}`] = filter[i];\n filterArgs.push(filterObj);\n }\n\n await (this.enforcer.getAdapter() as FilteredAdapter).loadFilteredPolicy(\n tempModel,\n filterArgs,\n );\n\n return await tempModel.getPolicy('g', 'g');\n }\n\n async addPolicy(\n policy: string[],\n externalTrx?: Knex.Transaction,\n ): Promise<void> {\n const trx = externalTrx ?? (await this.knex.transaction());\n\n if (await this.hasPolicy(...policy)) {\n return;\n }\n try {\n const ok = await this.enforcer.addPolicy(...policy);\n if (!ok) {\n throw new Error(`failed to create policy ${policyToString(policy)}`);\n }\n if (!externalTrx) {\n await trx.commit();\n }\n } catch (err) {\n if (!externalTrx) {\n await trx.rollback(err);\n }\n throw err;\n }\n }\n\n async addPolicies(\n policies: string[][],\n externalTrx?: Knex.Transaction,\n ): Promise<void> {\n if (policies.length === 0) {\n return;\n }\n\n const trx = externalTrx || (await this.knex.transaction());\n\n try {\n const ok = await this.enforcer.addPolicies(policies);\n if (!ok) {\n throw new Error(\n `Failed to store policies ${policiesToString(policies)}`,\n );\n }\n if (!externalTrx) {\n await trx.commit();\n }\n } catch (err) {\n if (!externalTrx) {\n await trx.rollback(err);\n }\n throw err;\n }\n }\n\n async addGroupingPolicy(\n policy: string[],\n roleMetadata: RoleMetadataDao,\n externalTrx?: Knex.Transaction,\n ): Promise<void> {\n const trx = externalTrx ?? (await this.knex.transaction());\n const entityRef = roleMetadata.roleEntityRef;\n\n if (await this.hasGroupingPolicy(...policy)) {\n return;\n }\n try {\n let currentMetadata;\n if (entityRef.startsWith(`role:`)) {\n currentMetadata = await this.roleMetadataStorage.findRoleMetadata(\n entityRef,\n trx,\n );\n }\n\n if (currentMetadata) {\n await this.roleMetadataStorage.updateRoleMetadata(\n mergeRoleMetadata(currentMetadata, roleMetadata),\n entityRef,\n trx,\n );\n } else {\n const currentDate: Date = new Date();\n roleMetadata.createdAt = currentDate.toUTCString();\n roleMetadata.lastModified = currentDate.toUTCString();\n await this.roleMetadataStorage.createRoleMetadata(roleMetadata, trx);\n }\n\n const ok = await this.enforcer.addGroupingPolicy(...policy);\n if (!ok) {\n throw new Error(`failed to create policy ${policyToString(policy)}`);\n }\n if (!externalTrx) {\n await trx.commit();\n }\n if (!currentMetadata) {\n this.roleEventEmitter.emit('roleAdded', roleMetadata.roleEntityRef);\n }\n } catch (err) {\n if (!externalTrx) {\n await trx.rollback(err);\n }\n throw err;\n }\n }\n\n async addGroupingPolicies(\n policies: string[][],\n roleMetadata: RoleMetadataDao,\n externalTrx?: Knex.Transaction,\n ): Promise<void> {\n if (policies.length === 0) {\n return;\n }\n\n const trx = externalTrx ?? (await this.knex.transaction());\n\n try {\n const currentRoleMetadata =\n await this.roleMetadataStorage.findRoleMetadata(\n roleMetadata.roleEntityRef,\n trx,\n );\n if (currentRoleMetadata) {\n await this.roleMetadataStorage.updateRoleMetadata(\n mergeRoleMetadata(currentRoleMetadata, roleMetadata),\n roleMetadata.roleEntityRef,\n trx,\n );\n } else {\n const currentDate: Date = new Date();\n roleMetadata.createdAt = currentDate.toUTCString();\n roleMetadata.lastModified = currentDate.toUTCString();\n await this.roleMetadataStorage.createRoleMetadata(roleMetadata, trx);\n }\n\n const ok = await this.enforcer.addGroupingPolicies(policies);\n if (!ok) {\n throw new Error(\n `Failed to store policies ${policiesToString(policies)}`,\n );\n }\n\n if (!externalTrx) {\n await trx.commit();\n }\n if (!currentRoleMetadata) {\n this.roleEventEmitter.emit('roleAdded', roleMetadata.roleEntityRef);\n }\n } catch (err) {\n if (!externalTrx) {\n await trx.rollback(err);\n }\n throw err;\n }\n }\n\n async updateGroupingPolicies(\n oldRole: string[][],\n newRole: string[][],\n newRoleMetadata: RoleMetadataDao,\n ): Promise<void> {\n const oldRoleName = oldRole.at(0)?.at(1)!;\n\n const trx = await this.knex.transaction();\n try {\n const currentMetadata = await this.roleMetadataStorage.findRoleMetadata(\n oldRoleName,\n trx,\n );\n if (!currentMetadata) {\n throw new Error(`Role metadata ${oldRoleName} was not found`);\n }\n\n await this.removeGroupingPolicies(oldRole, currentMetadata, true, trx);\n await this.addGroupingPolicies(newRole, newRoleMetadata, trx);\n await trx.commit();\n } catch (err) {\n await trx.rollback(err);\n throw err;\n }\n }\n\n async updatePolicies(\n oldPolicies: string[][],\n newPolicies: string[][],\n ): Promise<void> {\n const trx = await this.knex.transaction();\n\n try {\n await this.removePolicies(oldPolicies, trx);\n await this.addPolicies(newPolicies, trx);\n await trx.commit();\n } catch (err) {\n await trx.rollback(err);\n throw err;\n }\n }\n\n async removePolicy(policy: string[], externalTrx?: Knex.Transaction) {\n const trx = externalTrx ?? (await this.knex.transaction());\n\n try {\n const ok = await this.enforcer.removePolicy(...policy);\n if (!ok) {\n throw new Error(`fail to delete policy ${policy}`);\n }\n if (!externalTrx) {\n await trx.commit();\n }\n } catch (err) {\n if (!externalTrx) {\n await trx.rollback(err);\n }\n throw err;\n }\n }\n\n async removePolicies(\n policies: string[][],\n externalTrx?: Knex.Transaction,\n ): Promise<void> {\n const trx = externalTrx ?? (await this.knex.transaction());\n\n try {\n const ok = await this.enforcer.removePolicies(policies);\n if (!ok) {\n throw new Error(\n `Failed to delete policies ${policiesToString(policies)}`,\n );\n }\n\n if (!externalTrx) {\n await trx.commit();\n }\n } catch (err) {\n if (!externalTrx) {\n await trx.rollback(err);\n }\n throw err;\n }\n }\n\n async removeGroupingPolicy(\n policy: string[],\n roleMetadata: RoleMetadataDao,\n isUpdate?: boolean,\n externalTrx?: Knex.Transaction,\n ): Promise<void> {\n const trx = externalTrx ?? (await this.knex.transaction());\n const roleEntity = policy[1];\n\n try {\n const ok = await this.enforcer.removeGroupingPolicy(...policy);\n if (!ok) {\n throw new Error(`Failed to delete policy ${policyToString(policy)}`);\n }\n\n if (!isUpdate) {\n const currentRoleMetadata =\n await this.roleMetadataStorage.findRoleMetadata(roleEntity, trx);\n const remainingGroupPolicies = await this.getFilteredGroupingPolicy(\n 1,\n roleEntity,\n );\n if (\n currentRoleMetadata &&\n remainingGroupPolicies.length === 0 &&\n roleEntity !== ADMIN_ROLE_NAME\n ) {\n await this.roleMetadataStorage.removeRoleMetadata(roleEntity, trx);\n } else if (currentRoleMetadata) {\n await this.roleMetadataStorage.updateRoleMetadata(\n mergeRoleMetadata(currentRoleMetadata, roleMetadata),\n roleEntity,\n trx,\n );\n }\n }\n\n if (!externalTrx) {\n await trx.commit();\n }\n } catch (err) {\n if (!externalTrx) {\n await trx.rollback(err);\n }\n throw err;\n }\n }\n\n async removeGroupingPolicies(\n policies: string[][],\n roleMetadata: RoleMetadataDao,\n isUpdate?: boolean,\n externalTrx?: Knex.Transaction,\n ): Promise<void> {\n const trx = externalTrx ?? (await this.knex.transaction());\n\n const roleEntity = roleMetadata.roleEntityRef;\n try {\n const ok = await this.enforcer.removeGroupingPolicies(policies);\n if (!ok) {\n throw new Error(\n `Failed to delete grouping policies: ${policiesToString(policies)}`,\n );\n }\n\n if (!isUpdate) {\n const currentRoleMetadata =\n await this.roleMetadataStorage.findRoleMetadata(roleEntity, trx);\n const remainingGroupPolicies = await this.getFilteredGroupingPolicy(\n 1,\n roleEntity,\n );\n if (\n currentRoleMetadata &&\n remainingGroupPolicies.length === 0 &&\n roleEntity !== ADMIN_ROLE_NAME\n ) {\n await this.roleMetadataStorage.removeRoleMetadata(roleEntity, trx);\n } else if (currentRoleMetadata) {\n await this.roleMetadataStorage.updateRoleMetadata(\n mergeRoleMetadata(currentRoleMetadata, roleMetadata),\n roleEntity,\n trx,\n );\n }\n }\n\n if (!externalTrx) {\n await trx.commit();\n }\n } catch (err) {\n if (!externalTrx) {\n await trx.rollback(err);\n }\n throw err;\n }\n }\n\n /**\n * enforce aims to enforce a particular permission policy based on the user that it receives.\n * Under the hood, enforce uses the `enforce` method from the enforcer`.\n *\n * Before enforcement, a filter is set up to reduce the number of permission policies that will\n * be loaded in.\n * This will reduce the amount of checks that need to be made to determine if a user is authorize\n * to perform an action\n *\n * A temporary enforcer will also be used while enforcing.\n * This is to ensure that the filter does not interact with the base enforcer.\n * The temporary enforcer has lazy loading of the permission policies enabled to reduce the amount\n * of time it takes to initialize the temporary enforcer.\n * The justification for lazy loading is because permission policies are already present in the\n * role manager / database and it will be filtered and loaded whenever `loadFilteredPolicy` is called.\n * @param entityRef The user to enforce\n * @param resourceType The resource type / name of the permission policy\n * @param action The action of the permission policy\n * @param roles Any roles that the user is directly or indirectly attached to.\n * Used for filtering permission policies.\n * @returns True if the user is allowed based on the particular permission\n */\n async enforce(\n entityRef: string,\n resourceType: string,\n action: string,\n roles: string[],\n ): Promise<boolean> {\n const filter = [];\n if (roles.length > 0) {\n roles.forEach(role => {\n filter.push({ ptype: 'p', v0: role, v1: resourceType, v2: action });\n });\n } else {\n filter.push({ ptype: 'p', v1: resourceType, v2: action });\n }\n\n const adapt = this.enforcer.getAdapter();\n const roleManager = this.enforcer.getRoleManager();\n const tempEnforcer = new Enforcer();\n await tempEnforcer.initWithModelAndAdapter(\n newModelFromString(MODEL),\n adapt,\n true,\n );\n tempEnforcer.setRoleManager(roleManager);\n\n await tempEnforcer.loadFilteredPolicy(filter);\n\n return await tempEnforcer.enforce(entityRef, resourceType, action);\n }\n\n async getImplicitPermissionsForUser(user: string): Promise<string[][]> {\n return this.enforcer.getImplicitPermissionsForUser(user);\n }\n\n async getAllRoles(): Promise<string[]> {\n return this.enforcer.getAllRoles();\n }\n}\n"],"names":["EventEmitter","newModelFromString","MODEL","policyToString","policiesToString","mergeRoleMetadata","ADMIN_ROLE_NAME","Enforcer"],"mappings":";;;;;;;;;;;;AAqCO,MAAM,gBAAyD,CAAA;AAAA,EAGpE,WAAA,CACmB,QACA,EAAA,mBAAA,EACA,IACjB,EAAA;AAHiB,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AACA,IAAA,IAAA,CAAA,mBAAA,GAAA,mBAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAAA;AAChB,EANc,gBAAA,GAAmB,IAAIA,6BAAuB,EAAA;AAAA,EAQ/D,EAAA,CAAG,OAAmB,QAAwC,EAAA;AAC5D,IAAK,IAAA,CAAA,gBAAA,CAAiB,EAAG,CAAA,KAAA,EAAO,QAAQ,CAAA;AACxC,IAAO,OAAA,IAAA;AAAA;AACT,EAEA,MAAM,aAAa,MAAoC,EAAA;AACrD,IAAM,MAAA,SAAA,GAAYC,0BAAmBC,qBAAK,CAAA;AAC1C,IAAO,MAAA,IAAA,CAAK,QAAS,CAAA,UAAA,EAAiC,CAAA,kBAAA;AAAA,MACpD,SAAA;AAAA,MACA;AAAA,QACE;AAAA,UACE,KAAO,EAAA,GAAA;AAAA,UACP,EAAA,EAAI,OAAO,CAAC,CAAA;AAAA,UACZ,EAAA,EAAI,OAAO,CAAC,CAAA;AAAA,UACZ,EAAA,EAAI,OAAO,CAAC,CAAA;AAAA,UACZ,EAAA,EAAI,OAAO,CAAC;AAAA;AACd;AACF,KACF;AACA,IAAA,OAAO,SAAU,CAAA,SAAA,CAAU,GAAK,EAAA,GAAA,EAAK,MAAM,CAAA;AAAA;AAC7C,EAEA,MAAM,qBAAqB,MAAoC,EAAA;AAC7D,IAAM,MAAA,SAAA,GAAYD,0BAAmBC,qBAAK,CAAA;AAC1C,IAAO,MAAA,IAAA,CAAK,QAAS,CAAA,UAAA,EAAiC,CAAA,kBAAA;AAAA,MACpD,SAAA;AAAA,MACA;AAAA,QACE;AAAA,UACE,KAAO,EAAA,GAAA;AAAA,UACP,EAAA,EAAI,OAAO,CAAC,CAAA;AAAA,UACZ,EAAA,EAAI,OAAO,CAAC;AAAA;AACd;AACF,KACF;AACA,IAAA,OAAO,SAAU,CAAA,SAAA,CAAU,GAAK,EAAA,GAAA,EAAK,MAAM,CAAA;AAAA;AAC7C,EAEA,MAAM,SAAiC,GAAA;AACrC,IAAM,MAAA,SAAA,GAAYD,0BAAmBC,qBAAK,CAAA;AAC1C,IAAO,MAAA,IAAA,CAAK,QAAS,CAAA,UAAA,EAAiC,CAAA,kBAAA;AAAA,MACpD,SAAA;AAAA,MACA,CAAC,EAAE,KAAO,EAAA,GAAA,EAAK;AAAA,KACjB;AACA,IAAA,OAAO,MAAM,SAAA,CAAU,SAAU,CAAA,GAAA,EAAK,GAAG,CAAA;AAAA;AAC3C,EAEA,MAAM,iBAAyC,GAAA;AAC7C,IAAM,MAAA,SAAA,GAAYD,0BAAmBC,qBAAK,CAAA;AAC1C,IAAO,MAAA,IAAA,CAAK,QAAS,CAAA,UAAA,EAAiC,CAAA,kBAAA;AAAA,MACpD,SAAA;AAAA,MACA,CAAC,EAAE,KAAO,EAAA,GAAA,EAAK;AAAA,KACjB;AACA,IAAA,OAAO,MAAM,SAAA,CAAU,SAAU,CAAA,GAAA,EAAK,GAAG,CAAA;AAAA;AAC3C,EAEA,MAAM,gBAAgB,aAA0C,EAAA;AAC9D,IAAA,OAAO,MAAM,IAAA,CAAK,QAAS,CAAA,eAAA,CAAgB,aAAa,CAAA;AAAA;AAC1D,EAEA,MAAM,iBACJ,CAAA,UAAA,EAAA,GACG,MACkB,EAAA;AACrB,IAAM,MAAA,SAAA,GAAYD,0BAAmBC,qBAAK,CAAA;AAE1C,IAAA,MAAM,aAAuC,EAAC;AAC9C,IAAM,MAAA,SAAA,GAAoC,EAAE,KAAA,EAAO,GAAI,EAAA;AACvD,IAAA,KAAA,IAAS,CAAI,GAAA,CAAA,EAAG,CAAI,GAAA,MAAA,CAAO,QAAQ,CAAK,EAAA,EAAA;AACtC,MAAA,SAAA,CAAU,IAAI,CAAI,GAAA,UAAU,CAAE,CAAA,CAAA,GAAI,OAAO,CAAC,CAAA;AAC1C,MAAA,UAAA,CAAW,KAAK,SAAS,CAAA;AAAA;AAG3B,IAAO,MAAA,IAAA,CAAK,QAAS,CAAA,UAAA,EAAiC,CAAA,kBAAA;AAAA,MACpD,SAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,OAAO,MAAM,SAAA,CAAU,SAAU,CAAA,GAAA,EAAK,GAAG,CAAA;AAAA;AAC3C,EAEA,MAAM,yBACJ,CAAA,UAAA,EAAA,GACG,MACkB,EAAA;AACrB,IAAM,MAAA,SAAA,GAAYD,0BAAmBC,qBAAK,CAAA;AAE1C,IAAA,MAAM,aAAuC,EAAC;AAC9C,IAAM,MAAA,SAAA,GAAoC,EAAE,KAAA,EAAO,GAAI,EAAA;AACvD,IAAA,KAAA,IAAS,CAAI,GAAA,CAAA,EAAG,CAAI,GAAA,MAAA,CAAO,QAAQ,CAAK,EAAA,EAAA;AACtC,MAAA,SAAA,CAAU,IAAI,CAAI,GAAA,UAAU,CAAE,CAAA,CAAA,GAAI,OAAO,CAAC,CAAA;AAC1C,MAAA,UAAA,CAAW,KAAK,SAAS,CAAA;AAAA;AAG3B,IAAO,MAAA,IAAA,CAAK,QAAS,CAAA,UAAA,EAAiC,CAAA,kBAAA;AAAA,MACpD,SAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,OAAO,MAAM,SAAA,CAAU,SAAU,CAAA,GAAA,EAAK,GAAG,CAAA;AAAA;AAC3C,EAEA,MAAM,SACJ,CAAA,MAAA,EACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA;AAExD,IAAA,IAAI,MAAM,IAAA,CAAK,SAAU,CAAA,GAAG,MAAM,CAAG,EAAA;AACnC,MAAA;AAAA;AAEF,IAAI,IAAA;AACF,MAAA,MAAM,KAAK,MAAM,IAAA,CAAK,QAAS,CAAA,SAAA,CAAU,GAAG,MAAM,CAAA;AAClD,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAM,CAAA,CAAA,wBAAA,EAA2BC,qBAAe,CAAA,MAAM,CAAC,CAAE,CAAA,CAAA;AAAA;AAErE,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA;AAAA;AACnB,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA;AAAA;AAExB,MAAM,MAAA,GAAA;AAAA;AACR;AACF,EAEA,MAAM,WACJ,CAAA,QAAA,EACA,WACe,EAAA;AACf,IAAI,IAAA,QAAA,CAAS,WAAW,CAAG,EAAA;AACzB,MAAA;AAAA;AAGF,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA;AAExD,IAAI,IAAA;AACF,MAAA,MAAM,EAAK,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,YAAY,QAAQ,CAAA;AACnD,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,yBAAA,EAA4BC,uBAAiB,CAAA,QAAQ,CAAC,CAAA;AAAA,SACxD;AAAA;AAEF,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA;AAAA;AACnB,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA;AAAA;AAExB,MAAM,MAAA,GAAA;AAAA;AACR;AACF,EAEA,MAAM,iBAAA,CACJ,MACA,EAAA,YAAA,EACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA;AACxD,IAAA,MAAM,YAAY,YAAa,CAAA,aAAA;AAE/B,IAAA,IAAI,MAAM,IAAA,CAAK,iBAAkB,CAAA,GAAG,MAAM,CAAG,EAAA;AAC3C,MAAA;AAAA;AAEF,IAAI,IAAA;AACF,MAAI,IAAA,eAAA;AACJ,MAAI,IAAA,SAAA,CAAU,UAAW,CAAA,CAAA,KAAA,CAAO,CAAG,EAAA;AACjC,QAAkB,eAAA,GAAA,MAAM,KAAK,mBAAoB,CAAA,gBAAA;AAAA,UAC/C,SAAA;AAAA,UACA;AAAA,SACF;AAAA;AAGF,MAAA,IAAI,eAAiB,EAAA;AACnB,QAAA,MAAM,KAAK,mBAAoB,CAAA,kBAAA;AAAA,UAC7BC,wBAAA,CAAkB,iBAAiB,YAAY,CAAA;AAAA,UAC/C,SAAA;AAAA,UACA;AAAA,SACF;AAAA,OACK,MAAA;AACL,QAAM,MAAA,WAAA,uBAAwB,IAAK,EAAA;AACnC,QAAa,YAAA,CAAA,SAAA,GAAY,YAAY,WAAY,EAAA;AACjD,QAAa,YAAA,CAAA,YAAA,GAAe,YAAY,WAAY,EAAA;AACpD,QAAA,MAAM,IAAK,CAAA,mBAAA,CAAoB,kBAAmB,CAAA,YAAA,EAAc,GAAG,CAAA;AAAA;AAGrE,MAAA,MAAM,KAAK,MAAM,IAAA,CAAK,QAAS,CAAA,iBAAA,CAAkB,GAAG,MAAM,CAAA;AAC1D,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAM,CAAA,CAAA,wBAAA,EAA2BF,qBAAe,CAAA,MAAM,CAAC,CAAE,CAAA,CAAA;AAAA;AAErE,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA;AAAA;AAEnB,MAAA,IAAI,CAAC,eAAiB,EAAA;AACpB,QAAA,IAAA,CAAK,gBAAiB,CAAA,IAAA,CAAK,WAAa,EAAA,YAAA,CAAa,aAAa,CAAA;AAAA;AACpE,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA;AAAA;AAExB,MAAM,MAAA,GAAA;AAAA;AACR;AACF,EAEA,MAAM,mBAAA,CACJ,QACA,EAAA,YAAA,EACA,WACe,EAAA;AACf,IAAI,IAAA,QAAA,CAAS,WAAW,CAAG,EAAA;AACzB,MAAA;AAAA;AAGF,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA;AAExD,IAAI,IAAA;AACF,MAAM,MAAA,mBAAA,GACJ,MAAM,IAAA,CAAK,mBAAoB,CAAA,gBAAA;AAAA,QAC7B,YAAa,CAAA,aAAA;AAAA,QACb;AAAA,OACF;AACF,MAAA,IAAI,mBAAqB,EAAA;AACvB,QAAA,MAAM,KAAK,mBAAoB,CAAA,kBAAA;AAAA,UAC7BE,wBAAA,CAAkB,qBAAqB,YAAY,CAAA;AAAA,UACnD,YAAa,CAAA,aAAA;AAAA,UACb;AAAA,SACF;AAAA,OACK,MAAA;AACL,QAAM,MAAA,WAAA,uBAAwB,IAAK,EAAA;AACnC,QAAa,YAAA,CAAA,SAAA,GAAY,YAAY,WAAY,EAAA;AACjD,QAAa,YAAA,CAAA,YAAA,GAAe,YAAY,WAAY,EAAA;AACpD,QAAA,MAAM,IAAK,CAAA,mBAAA,CAAoB,kBAAmB,CAAA,YAAA,EAAc,GAAG,CAAA;AAAA;AAGrE,MAAA,MAAM,EAAK,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,oBAAoB,QAAQ,CAAA;AAC3D,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,yBAAA,EAA4BD,uBAAiB,CAAA,QAAQ,CAAC,CAAA;AAAA,SACxD;AAAA;AAGF,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA;AAAA;AAEnB,MAAA,IAAI,CAAC,mBAAqB,EAAA;AACxB,QAAA,IAAA,CAAK,gBAAiB,CAAA,IAAA,CAAK,WAAa,EAAA,YAAA,CAAa,aAAa,CAAA;AAAA;AACpE,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA;AAAA;AAExB,MAAM,MAAA,GAAA;AAAA;AACR;AACF,EAEA,MAAM,sBAAA,CACJ,OACA,EAAA,OAAA,EACA,eACe,EAAA;AACf,IAAA,MAAM,cAAc,OAAQ,CAAA,EAAA,CAAG,CAAC,CAAA,EAAG,GAAG,CAAC,CAAA;AAEvC,IAAA,MAAM,GAAM,GAAA,MAAM,IAAK,CAAA,IAAA,CAAK,WAAY,EAAA;AACxC,IAAI,IAAA;AACF,MAAM,MAAA,eAAA,GAAkB,MAAM,IAAA,CAAK,mBAAoB,CAAA,gBAAA;AAAA,QACrD,WAAA;AAAA,QACA;AAAA,OACF;AACA,MAAA,IAAI,CAAC,eAAiB,EAAA;AACpB,QAAA,MAAM,IAAI,KAAA,CAAM,CAAiB,cAAA,EAAA,WAAW,CAAgB,cAAA,CAAA,CAAA;AAAA;AAG9D,MAAA,MAAM,IAAK,CAAA,sBAAA,CAAuB,OAAS,EAAA,eAAA,EAAiB,MAAM,GAAG,CAAA;AACrE,MAAA,MAAM,IAAK,CAAA,mBAAA,CAAoB,OAAS,EAAA,eAAA,EAAiB,GAAG,CAAA;AAC5D,MAAA,MAAM,IAAI,MAAO,EAAA;AAAA,aACV,GAAK,EAAA;AACZ,MAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA;AACtB,MAAM,MAAA,GAAA;AAAA;AACR;AACF,EAEA,MAAM,cACJ,CAAA,WAAA,EACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,MAAM,IAAK,CAAA,IAAA,CAAK,WAAY,EAAA;AAExC,IAAI,IAAA;AACF,MAAM,MAAA,IAAA,CAAK,cAAe,CAAA,WAAA,EAAa,GAAG,CAAA;AAC1C,MAAM,MAAA,IAAA,CAAK,WAAY,CAAA,WAAA,EAAa,GAAG,CAAA;AACvC,MAAA,MAAM,IAAI,MAAO,EAAA;AAAA,aACV,GAAK,EAAA;AACZ,MAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA;AACtB,MAAM,MAAA,GAAA;AAAA;AACR;AACF,EAEA,MAAM,YAAa,CAAA,MAAA,EAAkB,WAAgC,EAAA;AACnE,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA;AAExD,IAAI,IAAA;AACF,MAAA,MAAM,KAAK,MAAM,IAAA,CAAK,QAAS,CAAA,YAAA,CAAa,GAAG,MAAM,CAAA;AACrD,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAA,CAAM,CAAyB,sBAAA,EAAA,MAAM,CAAE,CAAA,CAAA;AAAA;AAEnD,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA;AAAA;AACnB,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA;AAAA;AAExB,MAAM,MAAA,GAAA;AAAA;AACR;AACF,EAEA,MAAM,cACJ,CAAA,QAAA,EACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA;AAExD,IAAI,IAAA;AACF,MAAA,MAAM,EAAK,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,eAAe,QAAQ,CAAA;AACtD,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,0BAAA,EAA6BA,uBAAiB,CAAA,QAAQ,CAAC,CAAA;AAAA,SACzD;AAAA;AAGF,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA;AAAA;AACnB,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA;AAAA;AAExB,MAAM,MAAA,GAAA;AAAA;AACR;AACF,EAEA,MAAM,oBAAA,CACJ,MACA,EAAA,YAAA,EACA,UACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA;AACxD,IAAM,MAAA,UAAA,GAAa,OAAO,CAAC,CAAA;AAE3B,IAAI,IAAA;AACF,MAAA,MAAM,KAAK,MAAM,IAAA,CAAK,QAAS,CAAA,oBAAA,CAAqB,GAAG,MAAM,CAAA;AAC7D,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAM,CAAA,CAAA,wBAAA,EAA2BD,qBAAe,CAAA,MAAM,CAAC,CAAE,CAAA,CAAA;AAAA;AAGrE,MAAA,IAAI,CAAC,QAAU,EAAA;AACb,QAAA,MAAM,sBACJ,MAAM,IAAA,CAAK,mBAAoB,CAAA,gBAAA,CAAiB,YAAY,GAAG,CAAA;AACjE,QAAM,MAAA,sBAAA,GAAyB,MAAM,IAAK,CAAA,yBAAA;AAAA,UACxC,CAAA;AAAA,UACA;AAAA,SACF;AACA,QAAA,IACE,mBACA,IAAA,sBAAA,CAAuB,MAAW,KAAA,CAAA,IAClC,eAAeG,6BACf,EAAA;AACA,UAAA,MAAM,IAAK,CAAA,mBAAA,CAAoB,kBAAmB,CAAA,UAAA,EAAY,GAAG,CAAA;AAAA,mBACxD,mBAAqB,EAAA;AAC9B,UAAA,MAAM,KAAK,mBAAoB,CAAA,kBAAA;AAAA,YAC7BD,wBAAA,CAAkB,qBAAqB,YAAY,CAAA;AAAA,YACnD,UAAA;AAAA,YACA;AAAA,WACF;AAAA;AACF;AAGF,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA;AAAA;AACnB,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA;AAAA;AAExB,MAAM,MAAA,GAAA;AAAA;AACR;AACF,EAEA,MAAM,sBAAA,CACJ,QACA,EAAA,YAAA,EACA,UACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA;AAExD,IAAA,MAAM,aAAa,YAAa,CAAA,aAAA;AAChC,IAAI,IAAA;AACF,MAAA,MAAM,EAAK,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,uBAAuB,QAAQ,CAAA;AAC9D,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,oCAAA,EAAuCD,uBAAiB,CAAA,QAAQ,CAAC,CAAA;AAAA,SACnE;AAAA;AAGF,MAAA,IAAI,CAAC,QAAU,EAAA;AACb,QAAA,MAAM,sBACJ,MAAM,IAAA,CAAK,mBAAoB,CAAA,gBAAA,CAAiB,YAAY,GAAG,CAAA;AACjE,QAAM,MAAA,sBAAA,GAAyB,MAAM,IAAK,CAAA,yBAAA;AAAA,UACxC,CAAA;AAAA,UACA;AAAA,SACF;AACA,QAAA,IACE,mBACA,IAAA,sBAAA,CAAuB,MAAW,KAAA,CAAA,IAClC,eAAeE,6BACf,EAAA;AACA,UAAA,MAAM,IAAK,CAAA,mBAAA,CAAoB,kBAAmB,CAAA,UAAA,EAAY,GAAG,CAAA;AAAA,mBACxD,mBAAqB,EAAA;AAC9B,UAAA,MAAM,KAAK,mBAAoB,CAAA,kBAAA;AAAA,YAC7BD,wBAAA,CAAkB,qBAAqB,YAAY,CAAA;AAAA,YACnD,UAAA;AAAA,YACA;AAAA,WACF;AAAA;AACF;AAGF,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA;AAAA;AACnB,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA;AAAA;AAExB,MAAM,MAAA,GAAA;AAAA;AACR;AACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwBA,MAAM,OAAA,CACJ,SACA,EAAA,YAAA,EACA,QACA,KACkB,EAAA;AAClB,IAAA,MAAM,SAAS,EAAC;AAChB,IAAI,IAAA,KAAA,CAAM,SAAS,CAAG,EAAA;AACpB,MAAA,KAAA,CAAM,QAAQ,CAAQ,IAAA,KAAA;AACpB,QAAO,MAAA,CAAA,IAAA,CAAK,EAAE,KAAA,EAAO,GAAK,EAAA,EAAA,EAAI,MAAM,EAAI,EAAA,YAAA,EAAc,EAAI,EAAA,MAAA,EAAQ,CAAA;AAAA,OACnE,CAAA;AAAA,KACI,MAAA;AACL,MAAO,MAAA,CAAA,IAAA,CAAK,EAAE,KAAO,EAAA,GAAA,EAAK,IAAI,YAAc,EAAA,EAAA,EAAI,QAAQ,CAAA;AAAA;AAG1D,IAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,QAAA,CAAS,UAAW,EAAA;AACvC,IAAM,MAAA,WAAA,GAAc,IAAK,CAAA,QAAA,CAAS,cAAe,EAAA;AACjD,IAAM,MAAA,YAAA,GAAe,IAAIE,eAAS,EAAA;AAClC,IAAA,MAAM,YAAa,CAAA,uBAAA;AAAA,MACjBN,0BAAmBC,qBAAK,CAAA;AAAA,MACxB,KAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,YAAA,CAAa,eAAe,WAAW,CAAA;AAEvC,IAAM,MAAA,YAAA,CAAa,mBAAmB,MAAM,CAAA;AAE5C,IAAA,OAAO,MAAM,YAAA,CAAa,OAAQ,CAAA,SAAA,EAAW,cAAc,MAAM,CAAA;AAAA;AACnE,EAEA,MAAM,8BAA8B,IAAmC,EAAA;AACrE,IAAO,OAAA,IAAA,CAAK,QAAS,CAAA,6BAAA,CAA8B,IAAI,CAAA;AAAA;AACzD,EAEA,MAAM,WAAiC,GAAA;AACrC,IAAO,OAAA,IAAA,CAAK,SAAS,WAAY,EAAA;AAAA;AAErC;;;;"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"permission-model.cjs.js","sources":["../../src/service/permission-model.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nexport const MODEL = `\n[request_definition]\nr = sub, obj, act\n\n[policy_definition]\np = sub, obj, act, eft\n\n[policy_effect]\ne = some(where (p.eft == allow)) && !some(where (p.eft == deny))\n\n[role_definition]\ng = _, _\n\n[matchers]\nm = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act\n`;\n"],"names":[],"mappings":";;AAeO,MAAM,KAAQ,GAAA
|
|
1
|
+
{"version":3,"file":"permission-model.cjs.js","sources":["../../src/service/permission-model.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nexport const MODEL = `\n[request_definition]\nr = sub, obj, act\n\n[policy_definition]\np = sub, obj, act, eft\n\n[policy_effect]\ne = some(where (p.eft == allow)) && !some(where (p.eft == deny))\n\n[role_definition]\ng = _, _\n\n[matchers]\nm = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act\n`;\n"],"names":[],"mappings":";;AAeO,MAAM,KAAQ,GAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;AAAA;;;;"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"plugin-endpoints.cjs.js","sources":["../../src/service/plugin-endpoints.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport {\n FetchUrlReader,\n ReaderFactory,\n UrlReaders,\n} from '@backstage/backend-defaults/urlReader';\nimport type {\n AuthService,\n DiscoveryService,\n LoggerService,\n UrlReaderService,\n} from '@backstage/backend-plugin-api';\nimport type { Config } from '@backstage/config';\nimport { isError } from '@backstage/errors';\nimport {\n isResourcePermission,\n Permission,\n} from '@backstage/plugin-permission-common';\nimport type {\n MetadataResponse,\n MetadataResponseSerializedRule,\n} from '@backstage/plugin-permission-node';\n\nimport type {\n PluginPermissionMetaData,\n PolicyDetails,\n} from '@backstage-community/plugin-rbac-common';\nimport type { PluginIdProvider } from '@backstage-community/plugin-rbac-node';\n\ntype PluginMetadataResponse = {\n pluginId: string;\n metaDataResponse: MetadataResponse;\n};\n\nexport type PluginMetadataResponseSerializedRule = {\n pluginId: string;\n rules: MetadataResponseSerializedRule[];\n};\n\nexport class PluginPermissionMetadataCollector {\n private readonly pluginIds: string[];\n private readonly discovery: DiscoveryService;\n private readonly logger: LoggerService;\n private readonly urlReader: UrlReaderService;\n\n constructor({\n deps,\n optional,\n }: {\n deps: {\n discovery: DiscoveryService;\n pluginIdProvider: PluginIdProvider;\n logger: LoggerService;\n config: Config;\n };\n optional?: {\n urlReader?: UrlReaderService;\n };\n }) {\n const { discovery, pluginIdProvider, logger, config } = deps;\n this.pluginIds = pluginIdProvider.getPluginIds();\n this.discovery = discovery;\n this.logger = logger;\n this.urlReader =\n optional?.urlReader ??\n UrlReaders.default({\n config,\n logger,\n factories: [PluginPermissionMetadataCollector.permissionFactory],\n });\n }\n\n async getPluginConditionRules(\n auth: AuthService,\n ): Promise<PluginMetadataResponseSerializedRule[]> {\n const pluginMetadata = await this.getPluginMetaData(auth);\n\n return pluginMetadata\n .filter(metadata => metadata.metaDataResponse.rules.length > 0)\n .map(metadata => {\n return {\n pluginId: metadata.pluginId,\n rules: metadata.metaDataResponse.rules,\n };\n });\n }\n\n async getPluginPolicies(\n auth: AuthService,\n ): Promise<PluginPermissionMetaData[]> {\n const pluginMetadata = await this.getPluginMetaData(auth);\n\n return pluginMetadata\n .filter(metadata => metadata.metaDataResponse.permissions !== undefined)\n .map(metadata => {\n return {\n pluginId: metadata.pluginId,\n policies: permissionsToCasbinPolicies(\n metadata.metaDataResponse.permissions!,\n ),\n };\n });\n }\n\n private static permissionFactory: ReaderFactory = () => {\n return [{ reader: new FetchUrlReader(), predicate: (_url: URL) => true }];\n };\n\n private async getPluginMetaData(\n auth: AuthService,\n ): Promise<PluginMetadataResponse[]> {\n let pluginResponses: PluginMetadataResponse[] = [];\n\n for (const pluginId of this.pluginIds) {\n try {\n const { token } = await auth.getPluginRequestToken({\n onBehalfOf: await auth.getOwnServiceCredentials(),\n targetPluginId: pluginId,\n });\n\n const permMetaData = await this.getMetadataByPluginId(pluginId, token);\n if (permMetaData) {\n pluginResponses = [\n ...pluginResponses,\n {\n metaDataResponse: permMetaData,\n pluginId,\n },\n ];\n }\n } catch (error) {\n this.logger.error(\n `Failed to retrieve permission metadata for ${pluginId}. ${error}`,\n );\n }\n }\n\n return pluginResponses;\n }\n\n async getMetadataByPluginId(\n pluginId: string,\n token: string | undefined,\n ): Promise<MetadataResponse | undefined> {\n let permMetaData: MetadataResponse | undefined;\n try {\n const baseEndpoint = await this.discovery.getBaseUrl(pluginId);\n const wellKnownURL = `${baseEndpoint}/.well-known/backstage/permissions/metadata`;\n\n const permResp = await this.urlReader.readUrl(wellKnownURL, { token });\n const permMetaDataRaw = (await permResp.buffer()).toString();\n\n try {\n permMetaData = JSON.parse(permMetaDataRaw);\n } catch (err) {\n // workaround for https://issues.redhat.com/browse/RHIDP-1456\n return undefined;\n }\n } catch (err) {\n if (isError(err) && err.name === 'NotFoundError') {\n this.logger.warn(\n `No permission metadata found for ${pluginId}. ${err}`,\n );\n return undefined;\n }\n this.logger.error(\n `Failed to retrieve permission metadata for ${pluginId}. ${err}`,\n );\n }\n return permMetaData;\n }\n}\n\nfunction permissionsToCasbinPolicies(\n permissions: Permission[],\n): PolicyDetails[] {\n const policies: PolicyDetails[] = [];\n for (const permission of permissions) {\n if (isResourcePermission(permission)) {\n policies.push({\n resourceType: permission.resourceType,\n name: permission.name,\n policy: permission.attributes.action || 'use',\n });\n } else {\n policies.push({\n name: permission.name,\n policy: permission.attributes.action || 'use',\n });\n }\n }\n\n return policies;\n}\n"],"names":["UrlReaders","FetchUrlReader","isError","isResourcePermission"],"mappings":";;;;;;AAqDO,MAAM,iCAAkC,CAAA;AAAA,EAC5B,SAAA
|
|
1
|
+
{"version":3,"file":"plugin-endpoints.cjs.js","sources":["../../src/service/plugin-endpoints.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport {\n FetchUrlReader,\n ReaderFactory,\n UrlReaders,\n} from '@backstage/backend-defaults/urlReader';\nimport type {\n AuthService,\n DiscoveryService,\n LoggerService,\n UrlReaderService,\n} from '@backstage/backend-plugin-api';\nimport type { Config } from '@backstage/config';\nimport { isError } from '@backstage/errors';\nimport {\n isResourcePermission,\n Permission,\n} from '@backstage/plugin-permission-common';\nimport type {\n MetadataResponse,\n MetadataResponseSerializedRule,\n} from '@backstage/plugin-permission-node';\n\nimport type {\n PluginPermissionMetaData,\n PolicyDetails,\n} from '@backstage-community/plugin-rbac-common';\nimport type { PluginIdProvider } from '@backstage-community/plugin-rbac-node';\n\ntype PluginMetadataResponse = {\n pluginId: string;\n metaDataResponse: MetadataResponse;\n};\n\nexport type PluginMetadataResponseSerializedRule = {\n pluginId: string;\n rules: MetadataResponseSerializedRule[];\n};\n\nexport class PluginPermissionMetadataCollector {\n private readonly pluginIds: string[];\n private readonly discovery: DiscoveryService;\n private readonly logger: LoggerService;\n private readonly urlReader: UrlReaderService;\n\n constructor({\n deps,\n optional,\n }: {\n deps: {\n discovery: DiscoveryService;\n pluginIdProvider: PluginIdProvider;\n logger: LoggerService;\n config: Config;\n };\n optional?: {\n urlReader?: UrlReaderService;\n };\n }) {\n const { discovery, pluginIdProvider, logger, config } = deps;\n this.pluginIds = pluginIdProvider.getPluginIds();\n this.discovery = discovery;\n this.logger = logger;\n this.urlReader =\n optional?.urlReader ??\n UrlReaders.default({\n config,\n logger,\n factories: [PluginPermissionMetadataCollector.permissionFactory],\n });\n }\n\n async getPluginConditionRules(\n auth: AuthService,\n ): Promise<PluginMetadataResponseSerializedRule[]> {\n const pluginMetadata = await this.getPluginMetaData(auth);\n\n return pluginMetadata\n .filter(metadata => metadata.metaDataResponse.rules.length > 0)\n .map(metadata => {\n return {\n pluginId: metadata.pluginId,\n rules: metadata.metaDataResponse.rules,\n };\n });\n }\n\n async getPluginPolicies(\n auth: AuthService,\n ): Promise<PluginPermissionMetaData[]> {\n const pluginMetadata = await this.getPluginMetaData(auth);\n\n return pluginMetadata\n .filter(metadata => metadata.metaDataResponse.permissions !== undefined)\n .map(metadata => {\n return {\n pluginId: metadata.pluginId,\n policies: permissionsToCasbinPolicies(\n metadata.metaDataResponse.permissions!,\n ),\n };\n });\n }\n\n private static permissionFactory: ReaderFactory = () => {\n return [{ reader: new FetchUrlReader(), predicate: (_url: URL) => true }];\n };\n\n private async getPluginMetaData(\n auth: AuthService,\n ): Promise<PluginMetadataResponse[]> {\n let pluginResponses: PluginMetadataResponse[] = [];\n\n for (const pluginId of this.pluginIds) {\n try {\n const { token } = await auth.getPluginRequestToken({\n onBehalfOf: await auth.getOwnServiceCredentials(),\n targetPluginId: pluginId,\n });\n\n const permMetaData = await this.getMetadataByPluginId(pluginId, token);\n if (permMetaData) {\n pluginResponses = [\n ...pluginResponses,\n {\n metaDataResponse: permMetaData,\n pluginId,\n },\n ];\n }\n } catch (error) {\n this.logger.error(\n `Failed to retrieve permission metadata for ${pluginId}. ${error}`,\n );\n }\n }\n\n return pluginResponses;\n }\n\n async getMetadataByPluginId(\n pluginId: string,\n token: string | undefined,\n ): Promise<MetadataResponse | undefined> {\n let permMetaData: MetadataResponse | undefined;\n try {\n const baseEndpoint = await this.discovery.getBaseUrl(pluginId);\n const wellKnownURL = `${baseEndpoint}/.well-known/backstage/permissions/metadata`;\n\n const permResp = await this.urlReader.readUrl(wellKnownURL, { token });\n const permMetaDataRaw = (await permResp.buffer()).toString();\n\n try {\n permMetaData = JSON.parse(permMetaDataRaw);\n } catch (err) {\n // workaround for https://issues.redhat.com/browse/RHIDP-1456\n return undefined;\n }\n } catch (err) {\n if (isError(err) && err.name === 'NotFoundError') {\n this.logger.warn(\n `No permission metadata found for ${pluginId}. ${err}`,\n );\n return undefined;\n }\n this.logger.error(\n `Failed to retrieve permission metadata for ${pluginId}. ${err}`,\n );\n }\n return permMetaData;\n }\n}\n\nfunction permissionsToCasbinPolicies(\n permissions: Permission[],\n): PolicyDetails[] {\n const policies: PolicyDetails[] = [];\n for (const permission of permissions) {\n if (isResourcePermission(permission)) {\n policies.push({\n resourceType: permission.resourceType,\n name: permission.name,\n policy: permission.attributes.action || 'use',\n });\n } else {\n policies.push({\n name: permission.name,\n policy: permission.attributes.action || 'use',\n });\n }\n }\n\n return policies;\n}\n"],"names":["UrlReaders","FetchUrlReader","isError","isResourcePermission"],"mappings":";;;;;;AAqDO,MAAM,iCAAkC,CAAA;AAAA,EAC5B,SAAA;AAAA,EACA,SAAA;AAAA,EACA,MAAA;AAAA,EACA,SAAA;AAAA,EAEjB,WAAY,CAAA;AAAA,IACV,IAAA;AAAA,IACA;AAAA,GAWC,EAAA;AACD,IAAA,MAAM,EAAE,SAAA,EAAW,gBAAkB,EAAA,MAAA,EAAQ,QAAW,GAAA,IAAA;AACxD,IAAK,IAAA,CAAA,SAAA,GAAY,iBAAiB,YAAa,EAAA;AAC/C,IAAA,IAAA,CAAK,SAAY,GAAA,SAAA;AACjB,IAAA,IAAA,CAAK,MAAS,GAAA,MAAA;AACd,IAAA,IAAA,CAAK,SACH,GAAA,QAAA,EAAU,SACV,IAAAA,oBAAA,CAAW,OAAQ,CAAA;AAAA,MACjB,MAAA;AAAA,MACA,MAAA;AAAA,MACA,SAAA,EAAW,CAAC,iCAAA,CAAkC,iBAAiB;AAAA,KAChE,CAAA;AAAA;AACL,EAEA,MAAM,wBACJ,IACiD,EAAA;AACjD,IAAA,MAAM,cAAiB,GAAA,MAAM,IAAK,CAAA,iBAAA,CAAkB,IAAI,CAAA;AAExD,IAAO,OAAA,cAAA,CACJ,MAAO,CAAA,CAAA,QAAA,KAAY,QAAS,CAAA,gBAAA,CAAiB,MAAM,MAAS,GAAA,CAAC,CAC7D,CAAA,GAAA,CAAI,CAAY,QAAA,KAAA;AACf,MAAO,OAAA;AAAA,QACL,UAAU,QAAS,CAAA,QAAA;AAAA,QACnB,KAAA,EAAO,SAAS,gBAAiB,CAAA;AAAA,OACnC;AAAA,KACD,CAAA;AAAA;AACL,EAEA,MAAM,kBACJ,IACqC,EAAA;AACrC,IAAA,MAAM,cAAiB,GAAA,MAAM,IAAK,CAAA,iBAAA,CAAkB,IAAI,CAAA;AAExD,IAAO,OAAA,cAAA,CACJ,OAAO,CAAY,QAAA,KAAA,QAAA,CAAS,iBAAiB,WAAgB,KAAA,KAAA,CAAS,CACtE,CAAA,GAAA,CAAI,CAAY,QAAA,KAAA;AACf,MAAO,OAAA;AAAA,QACL,UAAU,QAAS,CAAA,QAAA;AAAA,QACnB,QAAU,EAAA,2BAAA;AAAA,UACR,SAAS,gBAAiB,CAAA;AAAA;AAC5B,OACF;AAAA,KACD,CAAA;AAAA;AACL,EAEA,OAAe,oBAAmC,MAAM;AACtD,IAAO,OAAA,CAAC,EAAE,MAAA,EAAQ,IAAIC,wBAAA,IAAkB,SAAW,EAAA,CAAC,IAAc,KAAA,IAAA,EAAM,CAAA;AAAA,GAC1E;AAAA,EAEA,MAAc,kBACZ,IACmC,EAAA;AACnC,IAAA,IAAI,kBAA4C,EAAC;AAEjD,IAAW,KAAA,MAAA,QAAA,IAAY,KAAK,SAAW,EAAA;AACrC,MAAI,IAAA;AACF,QAAA,MAAM,EAAE,KAAA,EAAU,GAAA,MAAM,KAAK,qBAAsB,CAAA;AAAA,UACjD,UAAA,EAAY,MAAM,IAAA,CAAK,wBAAyB,EAAA;AAAA,UAChD,cAAgB,EAAA;AAAA,SACjB,CAAA;AAED,QAAA,MAAM,YAAe,GAAA,MAAM,IAAK,CAAA,qBAAA,CAAsB,UAAU,KAAK,CAAA;AACrE,QAAA,IAAI,YAAc,EAAA;AAChB,UAAkB,eAAA,GAAA;AAAA,YAChB,GAAG,eAAA;AAAA,YACH;AAAA,cACE,gBAAkB,EAAA,YAAA;AAAA,cAClB;AAAA;AACF,WACF;AAAA;AACF,eACO,KAAO,EAAA;AACd,QAAA,IAAA,CAAK,MAAO,CAAA,KAAA;AAAA,UACV,CAAA,2CAAA,EAA8C,QAAQ,CAAA,EAAA,EAAK,KAAK,CAAA;AAAA,SAClE;AAAA;AACF;AAGF,IAAO,OAAA,eAAA;AAAA;AACT,EAEA,MAAM,qBACJ,CAAA,QAAA,EACA,KACuC,EAAA;AACvC,IAAI,IAAA,YAAA;AACJ,IAAI,IAAA;AACF,MAAA,MAAM,YAAe,GAAA,MAAM,IAAK,CAAA,SAAA,CAAU,WAAW,QAAQ,CAAA;AAC7D,MAAM,MAAA,YAAA,GAAe,GAAG,YAAY,CAAA,2CAAA,CAAA;AAEpC,MAAM,MAAA,QAAA,GAAW,MAAM,IAAK,CAAA,SAAA,CAAU,QAAQ,YAAc,EAAA,EAAE,OAAO,CAAA;AACrE,MAAA,MAAM,eAAmB,GAAA,CAAA,MAAM,QAAS,CAAA,MAAA,IAAU,QAAS,EAAA;AAE3D,MAAI,IAAA;AACF,QAAe,YAAA,GAAA,IAAA,CAAK,MAAM,eAAe,CAAA;AAAA,eAClC,GAAK,EAAA;AAEZ,QAAO,OAAA,KAAA,CAAA;AAAA;AACT,aACO,GAAK,EAAA;AACZ,MAAA,IAAIC,cAAQ,CAAA,GAAG,CAAK,IAAA,GAAA,CAAI,SAAS,eAAiB,EAAA;AAChD,QAAA,IAAA,CAAK,MAAO,CAAA,IAAA;AAAA,UACV,CAAA,iCAAA,EAAoC,QAAQ,CAAA,EAAA,EAAK,GAAG,CAAA;AAAA,SACtD;AACA,QAAO,OAAA,KAAA,CAAA;AAAA;AAET,MAAA,IAAA,CAAK,MAAO,CAAA,KAAA;AAAA,QACV,CAAA,2CAAA,EAA8C,QAAQ,CAAA,EAAA,EAAK,GAAG,CAAA;AAAA,OAChE;AAAA;AAEF,IAAO,OAAA,YAAA;AAAA;AAEX;AAEA,SAAS,4BACP,WACiB,EAAA;AACjB,EAAA,MAAM,WAA4B,EAAC;AACnC,EAAA,KAAA,MAAW,cAAc,WAAa,EAAA;AACpC,IAAI,IAAAC,2CAAA,CAAqB,UAAU,CAAG,EAAA;AACpC,MAAA,QAAA,CAAS,IAAK,CAAA;AAAA,QACZ,cAAc,UAAW,CAAA,YAAA;AAAA,QACzB,MAAM,UAAW,CAAA,IAAA;AAAA,QACjB,MAAA,EAAQ,UAAW,CAAA,UAAA,CAAW,MAAU,IAAA;AAAA,OACzC,CAAA;AAAA,KACI,MAAA;AACL,MAAA,QAAA,CAAS,IAAK,CAAA;AAAA,QACZ,MAAM,UAAW,CAAA,IAAA;AAAA,QACjB,MAAA,EAAQ,UAAW,CAAA,UAAA,CAAW,MAAU,IAAA;AAAA,OACzC,CAAA;AAAA;AACH;AAGF,EAAO,OAAA,QAAA;AACT;;;;"}
|
|
@@ -231,9 +231,7 @@ class PoliciesServer {
|
|
|
231
231
|
false,
|
|
232
232
|
"new policy"
|
|
233
233
|
);
|
|
234
|
-
const roleMetadata = await this.roleMetadata.findRoleMetadata(
|
|
235
|
-
entityRef
|
|
236
|
-
);
|
|
234
|
+
const roleMetadata = await this.roleMetadata.findRoleMetadata(entityRef);
|
|
237
235
|
if (entityRef.startsWith("role:default") && !roleMetadata) {
|
|
238
236
|
throw new Error(`Corresponding role ${entityRef} was not found`);
|
|
239
237
|
}
|
|
@@ -409,9 +407,7 @@ class PoliciesServer {
|
|
|
409
407
|
roleEntityRef: newRoleRaw.name,
|
|
410
408
|
modifiedBy: credentials.principal.userEntityRef
|
|
411
409
|
};
|
|
412
|
-
const oldMetadata = await this.roleMetadata.findRoleMetadata(
|
|
413
|
-
roleEntityRef
|
|
414
|
-
);
|
|
410
|
+
const oldMetadata = await this.roleMetadata.findRoleMetadata(roleEntityRef);
|
|
415
411
|
if (!oldMetadata) {
|
|
416
412
|
throw new errors.NotFoundError(`Unable to find metadata for ${roleEntityRef}`);
|
|
417
413
|
}
|
|
@@ -524,9 +520,7 @@ class PoliciesServer {
|
|
|
524
520
|
throw new errors.NotFoundError(`role member '${role[0]}' was not found`);
|
|
525
521
|
}
|
|
526
522
|
}
|
|
527
|
-
const currentMetadata = await this.roleMetadata.findRoleMetadata(
|
|
528
|
-
roleEntityRef
|
|
529
|
-
);
|
|
523
|
+
const currentMetadata = await this.roleMetadata.findRoleMetadata(roleEntityRef);
|
|
530
524
|
const err = await policiesValidation.validateSource("rest", currentMetadata);
|
|
531
525
|
if (err) {
|
|
532
526
|
throw new errors.NotAllowedError(`Unable to delete role: ${err.message}`);
|
|
@@ -646,9 +640,7 @@ class PoliciesServer {
|
|
|
646
640
|
this.pluginPermMetaData,
|
|
647
641
|
this.options.auth
|
|
648
642
|
);
|
|
649
|
-
const id = await this.conditionalStorage.createCondition(
|
|
650
|
-
conditionToCreate
|
|
651
|
-
);
|
|
643
|
+
const id = await this.conditionalStorage.createCondition(conditionToCreate);
|
|
652
644
|
const body = { id };
|
|
653
645
|
await this.aLog.auditLog({
|
|
654
646
|
message: `Created conditional permission policy`,
|