@blokjs/runner 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/Blok.d.ts +19 -0
- package/dist/Blok.js +184 -0
- package/dist/Blok.js.map +1 -0
- package/dist/BlokResponse.d.ts +16 -0
- package/dist/BlokResponse.js +28 -0
- package/dist/BlokResponse.js.map +1 -0
- package/dist/Configuration.d.ts +37 -0
- package/dist/Configuration.js +248 -0
- package/dist/Configuration.js.map +1 -0
- package/dist/ConfigurationResolver.d.ts +7 -0
- package/dist/ConfigurationResolver.js +15 -0
- package/dist/ConfigurationResolver.js.map +1 -0
- package/dist/DefaultLogger.d.ts +65 -0
- package/dist/DefaultLogger.js +101 -0
- package/dist/DefaultLogger.js.map +1 -0
- package/dist/LocalStorage.d.ts +7 -0
- package/dist/LocalStorage.js +56 -0
- package/dist/LocalStorage.js.map +1 -0
- package/dist/MemoryUsage.d.ts +22 -0
- package/dist/MemoryUsage.js +83 -0
- package/dist/MemoryUsage.js.map +1 -0
- package/dist/NodeMap.d.ts +7 -0
- package/dist/NodeMap.js +13 -0
- package/dist/NodeMap.js.map +1 -0
- package/dist/ResolverBase.d.ts +8 -0
- package/dist/ResolverBase.js +18 -0
- package/dist/ResolverBase.js.map +1 -0
- package/dist/Runner.d.ts +25 -0
- package/dist/Runner.js +32 -0
- package/dist/Runner.js.map +1 -0
- package/dist/RunnerNode.d.ts +9 -0
- package/dist/RunnerNode.js +8 -0
- package/dist/RunnerNode.js.map +1 -0
- package/dist/RunnerNodeBase.d.ts +4 -0
- package/dist/RunnerNodeBase.js +3 -0
- package/dist/RunnerNodeBase.js.map +1 -0
- package/dist/RunnerSteps.d.ts +14 -0
- package/dist/RunnerSteps.js +110 -0
- package/dist/RunnerSteps.js.map +1 -0
- package/dist/RuntimeAdapterNode.d.ts +19 -0
- package/dist/RuntimeAdapterNode.js +87 -0
- package/dist/RuntimeAdapterNode.js.map +1 -0
- package/dist/RuntimeRegistry.d.ts +61 -0
- package/dist/RuntimeRegistry.js +87 -0
- package/dist/RuntimeRegistry.js.map +1 -0
- package/dist/TriggerBase.d.ts +119 -0
- package/dist/TriggerBase.js +413 -0
- package/dist/TriggerBase.js.map +1 -0
- package/dist/adapters/BunRuntimeAdapter.d.ts +38 -0
- package/dist/adapters/BunRuntimeAdapter.js +169 -0
- package/dist/adapters/BunRuntimeAdapter.js.map +1 -0
- package/dist/adapters/DockerRuntimeAdapter.d.ts +85 -0
- package/dist/adapters/DockerRuntimeAdapter.js +298 -0
- package/dist/adapters/DockerRuntimeAdapter.js.map +1 -0
- package/dist/adapters/HttpRuntimeAdapter.d.ts +58 -0
- package/dist/adapters/HttpRuntimeAdapter.js +152 -0
- package/dist/adapters/HttpRuntimeAdapter.js.map +1 -0
- package/dist/adapters/NodeJsRuntimeAdapter.d.ts +23 -0
- package/dist/adapters/NodeJsRuntimeAdapter.js +67 -0
- package/dist/adapters/NodeJsRuntimeAdapter.js.map +1 -0
- package/dist/adapters/RuntimeAdapter.d.ts +42 -0
- package/dist/adapters/RuntimeAdapter.js +2 -0
- package/dist/adapters/RuntimeAdapter.js.map +1 -0
- package/dist/adapters/WasmRuntimeAdapter.d.ts +69 -0
- package/dist/adapters/WasmRuntimeAdapter.js +279 -0
- package/dist/adapters/WasmRuntimeAdapter.js.map +1 -0
- package/dist/cache/NodeResultCache.d.ts +286 -0
- package/dist/cache/NodeResultCache.js +499 -0
- package/dist/cache/NodeResultCache.js.map +1 -0
- package/dist/cache/index.d.ts +1 -0
- package/dist/cache/index.js +2 -0
- package/dist/cache/index.js.map +1 -0
- package/dist/cost/CostEstimator.d.ts +57 -0
- package/dist/cost/CostEstimator.js +171 -0
- package/dist/cost/CostEstimator.js.map +1 -0
- package/dist/cost/index.d.ts +4 -0
- package/dist/cost/index.js +3 -0
- package/dist/cost/index.js.map +1 -0
- package/dist/cost/pricing.d.ts +24 -0
- package/dist/cost/pricing.js +169 -0
- package/dist/cost/pricing.js.map +1 -0
- package/dist/defineNode.d.ts +155 -0
- package/dist/defineNode.js +191 -0
- package/dist/defineNode.js.map +1 -0
- package/dist/graphql/GraphQLSchemaGenerator.d.ts +129 -0
- package/dist/graphql/GraphQLSchemaGenerator.js +425 -0
- package/dist/graphql/GraphQLSchemaGenerator.js.map +1 -0
- package/dist/hmr/FileWatcher.d.ts +62 -0
- package/dist/hmr/FileWatcher.js +185 -0
- package/dist/hmr/FileWatcher.js.map +1 -0
- package/dist/hmr/HmrDevConsole.d.ts +13 -0
- package/dist/hmr/HmrDevConsole.js +46 -0
- package/dist/hmr/HmrDevConsole.js.map +1 -0
- package/dist/hmr/HotReloadManager.d.ts +84 -0
- package/dist/hmr/HotReloadManager.js +195 -0
- package/dist/hmr/HotReloadManager.js.map +1 -0
- package/dist/hmr/index.d.ts +39 -0
- package/dist/hmr/index.js +38 -0
- package/dist/hmr/index.js.map +1 -0
- package/dist/index.d.ts +107 -0
- package/dist/index.js +107 -0
- package/dist/index.js.map +1 -0
- package/dist/integrations/APMIntegration.d.ts +141 -0
- package/dist/integrations/APMIntegration.js +212 -0
- package/dist/integrations/APMIntegration.js.map +1 -0
- package/dist/integrations/AzureMonitorIntegration.d.ts +118 -0
- package/dist/integrations/AzureMonitorIntegration.js +254 -0
- package/dist/integrations/AzureMonitorIntegration.js.map +1 -0
- package/dist/integrations/CloudWatchIntegration.d.ts +135 -0
- package/dist/integrations/CloudWatchIntegration.js +293 -0
- package/dist/integrations/CloudWatchIntegration.js.map +1 -0
- package/dist/integrations/SentryIntegration.d.ts +153 -0
- package/dist/integrations/SentryIntegration.js +200 -0
- package/dist/integrations/SentryIntegration.js.map +1 -0
- package/dist/integrations/index.d.ts +19 -0
- package/dist/integrations/index.js +16 -0
- package/dist/integrations/index.js.map +1 -0
- package/dist/marketplace/RuntimeAutoScaler.d.ts +148 -0
- package/dist/marketplace/RuntimeAutoScaler.js +366 -0
- package/dist/marketplace/RuntimeAutoScaler.js.map +1 -0
- package/dist/marketplace/RuntimeCatalog.d.ts +174 -0
- package/dist/marketplace/RuntimeCatalog.js +339 -0
- package/dist/marketplace/RuntimeCatalog.js.map +1 -0
- package/dist/marketplace/RuntimeDiscovery.d.ts +86 -0
- package/dist/marketplace/RuntimeDiscovery.js +219 -0
- package/dist/marketplace/RuntimeDiscovery.js.map +1 -0
- package/dist/marketplace/RuntimeHealthMonitor.d.ts +100 -0
- package/dist/marketplace/RuntimeHealthMonitor.js +241 -0
- package/dist/marketplace/RuntimeHealthMonitor.js.map +1 -0
- package/dist/marketplace/RuntimeMetricsDashboard.d.ts +113 -0
- package/dist/marketplace/RuntimeMetricsDashboard.js +293 -0
- package/dist/marketplace/RuntimeMetricsDashboard.js.map +1 -0
- package/dist/monitoring/CircuitBreaker.d.ts +107 -0
- package/dist/monitoring/CircuitBreaker.js +238 -0
- package/dist/monitoring/CircuitBreaker.js.map +1 -0
- package/dist/monitoring/DistributedTracer.d.ts +125 -0
- package/dist/monitoring/DistributedTracer.js +230 -0
- package/dist/monitoring/DistributedTracer.js.map +1 -0
- package/dist/monitoring/HealthCheck.d.ts +54 -0
- package/dist/monitoring/HealthCheck.js +102 -0
- package/dist/monitoring/HealthCheck.js.map +1 -0
- package/dist/monitoring/PerformanceProfiler.d.ts +63 -0
- package/dist/monitoring/PerformanceProfiler.js +229 -0
- package/dist/monitoring/PerformanceProfiler.js.map +1 -0
- package/dist/monitoring/PrometheusBootstrap.d.ts +30 -0
- package/dist/monitoring/PrometheusBootstrap.js +71 -0
- package/dist/monitoring/PrometheusBootstrap.js.map +1 -0
- package/dist/monitoring/PrometheusMetricsBridge.d.ts +60 -0
- package/dist/monitoring/PrometheusMetricsBridge.js +216 -0
- package/dist/monitoring/PrometheusMetricsBridge.js.map +1 -0
- package/dist/monitoring/RateLimiter.d.ts +58 -0
- package/dist/monitoring/RateLimiter.js +128 -0
- package/dist/monitoring/RateLimiter.js.map +1 -0
- package/dist/monitoring/StructuredLogger.d.ts +131 -0
- package/dist/monitoring/StructuredLogger.js +207 -0
- package/dist/monitoring/StructuredLogger.js.map +1 -0
- package/dist/monitoring/TracingBootstrap.d.ts +69 -0
- package/dist/monitoring/TracingBootstrap.js +129 -0
- package/dist/monitoring/TracingBootstrap.js.map +1 -0
- package/dist/monitoring/TriggerMetricsCollector.d.ts +94 -0
- package/dist/monitoring/TriggerMetricsCollector.js +174 -0
- package/dist/monitoring/TriggerMetricsCollector.js.map +1 -0
- package/dist/monitoring/index.d.ts +9 -0
- package/dist/monitoring/index.js +10 -0
- package/dist/monitoring/index.js.map +1 -0
- package/dist/openapi/OpenAPIGenerator.d.ts +192 -0
- package/dist/openapi/OpenAPIGenerator.js +373 -0
- package/dist/openapi/OpenAPIGenerator.js.map +1 -0
- package/dist/openapi/index.d.ts +20 -0
- package/dist/openapi/index.js +20 -0
- package/dist/openapi/index.js.map +1 -0
- package/dist/security/ABAC.d.ts +224 -0
- package/dist/security/ABAC.js +380 -0
- package/dist/security/ABAC.js.map +1 -0
- package/dist/security/AuditLogger.d.ts +242 -0
- package/dist/security/AuditLogger.js +317 -0
- package/dist/security/AuditLogger.js.map +1 -0
- package/dist/security/AuthMiddleware.d.ts +163 -0
- package/dist/security/AuthMiddleware.js +274 -0
- package/dist/security/AuthMiddleware.js.map +1 -0
- package/dist/security/EncryptionAtRest.d.ts +206 -0
- package/dist/security/EncryptionAtRest.js +236 -0
- package/dist/security/EncryptionAtRest.js.map +1 -0
- package/dist/security/OAuthProvider.d.ts +334 -0
- package/dist/security/OAuthProvider.js +719 -0
- package/dist/security/OAuthProvider.js.map +1 -0
- package/dist/security/PIIDetector.d.ts +233 -0
- package/dist/security/PIIDetector.js +354 -0
- package/dist/security/PIIDetector.js.map +1 -0
- package/dist/security/RBAC.d.ts +143 -0
- package/dist/security/RBAC.js +285 -0
- package/dist/security/RBAC.js.map +1 -0
- package/dist/security/SecretManager.d.ts +652 -0
- package/dist/security/SecretManager.js +1146 -0
- package/dist/security/SecretManager.js.map +1 -0
- package/dist/security/TLSConfig.d.ts +305 -0
- package/dist/security/TLSConfig.js +550 -0
- package/dist/security/TLSConfig.js.map +1 -0
- package/dist/security/index.d.ts +79 -0
- package/dist/security/index.js +80 -0
- package/dist/security/index.js.map +1 -0
- package/dist/testing/TestHarness.d.ts +189 -0
- package/dist/testing/TestHarness.js +272 -0
- package/dist/testing/TestHarness.js.map +1 -0
- package/dist/testing/TestLogger.d.ts +103 -0
- package/dist/testing/TestLogger.js +153 -0
- package/dist/testing/TestLogger.js.map +1 -0
- package/dist/testing/WorkflowTestRunner.d.ts +172 -0
- package/dist/testing/WorkflowTestRunner.js +355 -0
- package/dist/testing/WorkflowTestRunner.js.map +1 -0
- package/dist/testing/index.d.ts +21 -0
- package/dist/testing/index.js +22 -0
- package/dist/testing/index.js.map +1 -0
- package/dist/tracing/InMemoryRunStore.d.ts +44 -0
- package/dist/tracing/InMemoryRunStore.js +341 -0
- package/dist/tracing/InMemoryRunStore.js.map +1 -0
- package/dist/tracing/PostgresRunStore.d.ts +82 -0
- package/dist/tracing/PostgresRunStore.js +640 -0
- package/dist/tracing/PostgresRunStore.js.map +1 -0
- package/dist/tracing/RunStore.d.ts +38 -0
- package/dist/tracing/RunStore.js +2 -0
- package/dist/tracing/RunStore.js.map +1 -0
- package/dist/tracing/RunTracker.d.ts +75 -0
- package/dist/tracing/RunTracker.js +374 -0
- package/dist/tracing/RunTracker.js.map +1 -0
- package/dist/tracing/SqliteRunStore.d.ts +53 -0
- package/dist/tracing/SqliteRunStore.js +703 -0
- package/dist/tracing/SqliteRunStore.js.map +1 -0
- package/dist/tracing/TraceRouter.d.ts +47 -0
- package/dist/tracing/TraceRouter.js +904 -0
- package/dist/tracing/TraceRouter.js.map +1 -0
- package/dist/tracing/TracingLogger.d.ts +21 -0
- package/dist/tracing/TracingLogger.js +62 -0
- package/dist/tracing/TracingLogger.js.map +1 -0
- package/dist/tracing/createStore.d.ts +30 -0
- package/dist/tracing/createStore.js +75 -0
- package/dist/tracing/createStore.js.map +1 -0
- package/dist/tracing/index.d.ts +13 -0
- package/dist/tracing/index.js +9 -0
- package/dist/tracing/index.js.map +1 -0
- package/dist/tracing/sanitize.d.ts +7 -0
- package/dist/tracing/sanitize.js +95 -0
- package/dist/tracing/sanitize.js.map +1 -0
- package/dist/tracing/types.d.ts +178 -0
- package/dist/tracing/types.js +3 -0
- package/dist/tracing/types.js.map +1 -0
- package/dist/types/Average.d.ts +11 -0
- package/dist/types/Average.js +2 -0
- package/dist/types/Average.js.map +1 -0
- package/dist/types/Condition.d.ts +8 -0
- package/dist/types/Condition.js +2 -0
- package/dist/types/Condition.js.map +1 -0
- package/dist/types/Conditions.d.ts +5 -0
- package/dist/types/Conditions.js +2 -0
- package/dist/types/Conditions.js.map +1 -0
- package/dist/types/Config.d.ts +12 -0
- package/dist/types/Config.js +2 -0
- package/dist/types/Config.js.map +1 -0
- package/dist/types/Flow.d.ts +5 -0
- package/dist/types/Flow.js +2 -0
- package/dist/types/Flow.js.map +1 -0
- package/dist/types/GlobalOptions.d.ts +11 -0
- package/dist/types/GlobalOptions.js +2 -0
- package/dist/types/GlobalOptions.js.map +1 -0
- package/dist/types/Inputs.d.ts +5 -0
- package/dist/types/Inputs.js +2 -0
- package/dist/types/Inputs.js.map +1 -0
- package/dist/types/JsonLikeObject.d.ts +3 -0
- package/dist/types/JsonLikeObject.js +2 -0
- package/dist/types/JsonLikeObject.js.map +1 -0
- package/dist/types/Mapper.d.ts +5 -0
- package/dist/types/Mapper.js +2 -0
- package/dist/types/Mapper.js.map +1 -0
- package/dist/types/Node.d.ts +10 -0
- package/dist/types/Node.js +2 -0
- package/dist/types/Node.js.map +1 -0
- package/dist/types/ParamsDictionary.d.ts +3 -0
- package/dist/types/ParamsDictionary.js +2 -0
- package/dist/types/ParamsDictionary.js.map +1 -0
- package/dist/types/Properties.d.ts +5 -0
- package/dist/types/Properties.js +2 -0
- package/dist/types/Properties.js.map +1 -0
- package/dist/types/Targets.d.ts +5 -0
- package/dist/types/Targets.js +2 -0
- package/dist/types/Targets.js.map +1 -0
- package/dist/types/Trigger.d.ts +5 -0
- package/dist/types/Trigger.js +2 -0
- package/dist/types/Trigger.js.map +1 -0
- package/dist/types/TriggerHttp.d.ts +7 -0
- package/dist/types/TriggerHttp.js +2 -0
- package/dist/types/TriggerHttp.js.map +1 -0
- package/dist/types/TriggerResponse.d.ts +6 -0
- package/dist/types/TriggerResponse.js +2 -0
- package/dist/types/TriggerResponse.js.map +1 -0
- package/dist/types/Triggers.d.ts +5 -0
- package/dist/types/Triggers.js +2 -0
- package/dist/types/Triggers.js.map +1 -0
- package/dist/types/TryCatch.d.ts +6 -0
- package/dist/types/TryCatch.js +2 -0
- package/dist/types/TryCatch.js.map +1 -0
- package/dist/visualization/NodeDependencyGraph.d.ts +76 -0
- package/dist/visualization/NodeDependencyGraph.js +418 -0
- package/dist/visualization/NodeDependencyGraph.js.map +1 -0
- package/dist/visualization/WorkflowVisualizer.d.ts +144 -0
- package/dist/visualization/WorkflowVisualizer.js +446 -0
- package/dist/visualization/WorkflowVisualizer.js.map +1 -0
- package/package.json +95 -0
|
@@ -0,0 +1,224 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Attribute-Based Access Control (ABAC) for Blok
|
|
3
|
+
*
|
|
4
|
+
* Provides fine-grained, attribute-driven access control that complements RBAC:
|
|
5
|
+
* - Policies evaluate attributes of subject, resource, action, and environment
|
|
6
|
+
* - Supports logical operators (AND, OR, NOT) for complex conditions
|
|
7
|
+
* - Supports comparison operators (equals, not_equals, in, not_in, contains, matches, gt, lt, gte, lte, between)
|
|
8
|
+
* - Supports attribute-to-attribute comparison via `valueRef` (e.g., resource.owner == subject.sub)
|
|
9
|
+
* - Integrates with AuthIdentity claims and RBAC roles
|
|
10
|
+
* - JSON-serializable policies for persistence and external management
|
|
11
|
+
*
|
|
12
|
+
* @example
|
|
13
|
+
* ```typescript
|
|
14
|
+
* const engine = new ABACEngine();
|
|
15
|
+
*
|
|
16
|
+
* engine.addPolicy({
|
|
17
|
+
* id: "work-hours-only",
|
|
18
|
+
* description: "Allow workflow execution only during business hours",
|
|
19
|
+
* effect: "allow",
|
|
20
|
+
* target: {
|
|
21
|
+
* resource: "workflow",
|
|
22
|
+
* actions: ["execute"],
|
|
23
|
+
* },
|
|
24
|
+
* conditions: {
|
|
25
|
+
* all: [
|
|
26
|
+
* { attribute: "environment.hour", operator: "gte", value: 9 },
|
|
27
|
+
* { attribute: "environment.hour", operator: "lt", value: 17 },
|
|
28
|
+
* { attribute: "subject.department", operator: "equals", value: "engineering" },
|
|
29
|
+
* ],
|
|
30
|
+
* },
|
|
31
|
+
* });
|
|
32
|
+
*
|
|
33
|
+
* const result = engine.evaluate({
|
|
34
|
+
* subject: { sub: "user-1", roles: ["developer"], department: "engineering" },
|
|
35
|
+
* resource: { type: "workflow", id: "/api/users" },
|
|
36
|
+
* action: "execute",
|
|
37
|
+
* environment: { hour: 14, ip: "10.0.0.1" },
|
|
38
|
+
* });
|
|
39
|
+
* ```
|
|
40
|
+
*/
|
|
41
|
+
export type ABACOperator = "equals" | "not_equals" | "in" | "not_in" | "contains" | "not_contains" | "matches" | "gt" | "lt" | "gte" | "lte" | "between" | "exists" | "not_exists";
|
|
42
|
+
export type ABACEffect = "allow" | "deny";
|
|
43
|
+
/**
|
|
44
|
+
* A single attribute condition that compares an attribute path against a value.
|
|
45
|
+
*
|
|
46
|
+
* Attribute paths use dot notation to access nested properties:
|
|
47
|
+
* - `subject.department` — the subject's department attribute
|
|
48
|
+
* - `resource.owner` — the resource's owner attribute
|
|
49
|
+
* - `environment.ip` — the environment's IP address
|
|
50
|
+
* - `environment.hour` — the current hour (0-23)
|
|
51
|
+
*/
|
|
52
|
+
export interface ABACCondition {
|
|
53
|
+
/** Dot-separated path to the attribute (e.g., "subject.department") */
|
|
54
|
+
attribute: string;
|
|
55
|
+
/** Comparison operator */
|
|
56
|
+
operator: ABACOperator;
|
|
57
|
+
/** Static value to compare against (ignored for exists/not_exists operators) */
|
|
58
|
+
value?: unknown;
|
|
59
|
+
/** Attribute path to resolve as the comparison value (attribute-to-attribute comparison).
|
|
60
|
+
* When set, `value` is ignored and the comparison value is resolved from the request. */
|
|
61
|
+
valueRef?: string;
|
|
62
|
+
}
|
|
63
|
+
/**
|
|
64
|
+
* Logical grouping of conditions.
|
|
65
|
+
*
|
|
66
|
+
* - `all`: Every condition must be true (AND)
|
|
67
|
+
* - `any`: At least one condition must be true (OR)
|
|
68
|
+
* - `none`: No condition may be true (NOT / NOR)
|
|
69
|
+
*
|
|
70
|
+
* Groups can be nested for complex logic.
|
|
71
|
+
*/
|
|
72
|
+
export interface ABACConditionGroup {
|
|
73
|
+
/** All conditions must be true (AND) */
|
|
74
|
+
all?: Array<ABACCondition | ABACConditionGroup>;
|
|
75
|
+
/** At least one condition must be true (OR) */
|
|
76
|
+
any?: Array<ABACCondition | ABACConditionGroup>;
|
|
77
|
+
/** No condition may be true (NOR) */
|
|
78
|
+
none?: Array<ABACCondition | ABACConditionGroup>;
|
|
79
|
+
}
|
|
80
|
+
/**
|
|
81
|
+
* Policy target restricts which requests the policy applies to.
|
|
82
|
+
*/
|
|
83
|
+
export interface ABACPolicyTarget {
|
|
84
|
+
/** Resource type (e.g., "workflow", "node", "*") */
|
|
85
|
+
resource?: string;
|
|
86
|
+
/** Resource ID pattern (supports * wildcards) */
|
|
87
|
+
resourcePattern?: string;
|
|
88
|
+
/** Actions this policy applies to */
|
|
89
|
+
actions?: string[];
|
|
90
|
+
}
|
|
91
|
+
/**
|
|
92
|
+
* An ABAC policy defines conditions under which access is allowed or denied.
|
|
93
|
+
*/
|
|
94
|
+
export interface ABACPolicy {
|
|
95
|
+
/** Unique policy identifier */
|
|
96
|
+
id: string;
|
|
97
|
+
/** Human-readable description */
|
|
98
|
+
description?: string;
|
|
99
|
+
/** Whether this policy grants or denies access */
|
|
100
|
+
effect: ABACEffect;
|
|
101
|
+
/** Target resource/action scope — if omitted, applies to all requests */
|
|
102
|
+
target?: ABACPolicyTarget;
|
|
103
|
+
/** Conditions that must be satisfied for the policy to apply */
|
|
104
|
+
conditions: ABACConditionGroup;
|
|
105
|
+
/** Priority (higher = evaluated first). Default: 0 */
|
|
106
|
+
priority?: number;
|
|
107
|
+
/** Whether the policy is active. Default: true */
|
|
108
|
+
enabled?: boolean;
|
|
109
|
+
}
|
|
110
|
+
/**
|
|
111
|
+
* Attributes about the requesting subject (user or service).
|
|
112
|
+
*/
|
|
113
|
+
export interface SubjectAttributes {
|
|
114
|
+
/** Unique identifier */
|
|
115
|
+
sub: string;
|
|
116
|
+
/** Assigned roles */
|
|
117
|
+
roles?: string[];
|
|
118
|
+
/** Additional attributes (department, clearance, team, etc.) */
|
|
119
|
+
[key: string]: unknown;
|
|
120
|
+
}
|
|
121
|
+
/**
|
|
122
|
+
* Attributes about the target resource.
|
|
123
|
+
*/
|
|
124
|
+
export interface ResourceAttributes {
|
|
125
|
+
/** Resource type (workflow, node, trigger, etc.) */
|
|
126
|
+
type: string;
|
|
127
|
+
/** Resource identifier */
|
|
128
|
+
id: string;
|
|
129
|
+
/** Additional attributes (owner, classification, sensitivity, etc.) */
|
|
130
|
+
[key: string]: unknown;
|
|
131
|
+
}
|
|
132
|
+
/**
|
|
133
|
+
* Attributes about the environment / context.
|
|
134
|
+
*/
|
|
135
|
+
export interface EnvironmentAttributes {
|
|
136
|
+
/** Additional attributes (ip, hour, dayOfWeek, location, etc.) */
|
|
137
|
+
[key: string]: unknown;
|
|
138
|
+
}
|
|
139
|
+
/**
|
|
140
|
+
* A complete ABAC evaluation request context.
|
|
141
|
+
*/
|
|
142
|
+
export interface ABACRequest {
|
|
143
|
+
subject: SubjectAttributes;
|
|
144
|
+
resource: ResourceAttributes;
|
|
145
|
+
action: string;
|
|
146
|
+
environment?: EnvironmentAttributes;
|
|
147
|
+
}
|
|
148
|
+
/**
|
|
149
|
+
* Result of an ABAC evaluation.
|
|
150
|
+
*/
|
|
151
|
+
export interface ABACResult {
|
|
152
|
+
/** Whether access is allowed */
|
|
153
|
+
allowed: boolean;
|
|
154
|
+
/** The policy that determined the decision (if any) */
|
|
155
|
+
matchedPolicy?: ABACPolicy;
|
|
156
|
+
/** All policies that were evaluated */
|
|
157
|
+
evaluatedPolicies: Array<{
|
|
158
|
+
policyId: string;
|
|
159
|
+
effect: ABACEffect;
|
|
160
|
+
matched: boolean;
|
|
161
|
+
}>;
|
|
162
|
+
/** Reason for the decision */
|
|
163
|
+
reason: string;
|
|
164
|
+
}
|
|
165
|
+
export declare class ABACEngine {
|
|
166
|
+
private policies;
|
|
167
|
+
private defaultEffect;
|
|
168
|
+
constructor(options?: {
|
|
169
|
+
defaultEffect?: ABACEffect;
|
|
170
|
+
});
|
|
171
|
+
/**
|
|
172
|
+
* Add or update a policy.
|
|
173
|
+
*/
|
|
174
|
+
addPolicy(policy: ABACPolicy): void;
|
|
175
|
+
/**
|
|
176
|
+
* Remove a policy by ID.
|
|
177
|
+
*/
|
|
178
|
+
removePolicy(id: string): void;
|
|
179
|
+
/**
|
|
180
|
+
* Get a policy by ID.
|
|
181
|
+
*/
|
|
182
|
+
getPolicy(id: string): ABACPolicy | undefined;
|
|
183
|
+
/**
|
|
184
|
+
* Get all policies, sorted by priority (highest first).
|
|
185
|
+
*/
|
|
186
|
+
getPolicies(): ABACPolicy[];
|
|
187
|
+
/**
|
|
188
|
+
* Evaluate an access request against all policies.
|
|
189
|
+
*
|
|
190
|
+
* Policy evaluation order:
|
|
191
|
+
* 1. Policies are sorted by priority (highest first)
|
|
192
|
+
* 2. Only enabled policies are considered
|
|
193
|
+
* 3. Only policies whose target matches the request are considered
|
|
194
|
+
* 4. The first matching "deny" policy short-circuits with denial
|
|
195
|
+
* 5. Otherwise, at least one matching "allow" policy is required
|
|
196
|
+
* 6. If no policy matches, the default effect applies
|
|
197
|
+
*/
|
|
198
|
+
evaluate(request: ABACRequest): ABACResult;
|
|
199
|
+
/**
|
|
200
|
+
* Export all policies as JSON.
|
|
201
|
+
*/
|
|
202
|
+
toJSON(): {
|
|
203
|
+
policies: ABACPolicy[];
|
|
204
|
+
defaultEffect: ABACEffect;
|
|
205
|
+
};
|
|
206
|
+
/**
|
|
207
|
+
* Load policies from JSON (replaces all existing policies).
|
|
208
|
+
*/
|
|
209
|
+
fromJSON(config: {
|
|
210
|
+
policies: ABACPolicy[];
|
|
211
|
+
defaultEffect?: ABACEffect;
|
|
212
|
+
}): void;
|
|
213
|
+
private matchesTarget;
|
|
214
|
+
private evaluateConditionGroup;
|
|
215
|
+
private evaluateItem;
|
|
216
|
+
private evaluateCondition;
|
|
217
|
+
private resolveAttribute;
|
|
218
|
+
private compare;
|
|
219
|
+
private matchesPattern;
|
|
220
|
+
}
|
|
221
|
+
/**
|
|
222
|
+
* Create a preconfigured ABAC engine with common policies.
|
|
223
|
+
*/
|
|
224
|
+
export declare function createDefaultABAC(): ABACEngine;
|
|
@@ -0,0 +1,380 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Attribute-Based Access Control (ABAC) for Blok
|
|
3
|
+
*
|
|
4
|
+
* Provides fine-grained, attribute-driven access control that complements RBAC:
|
|
5
|
+
* - Policies evaluate attributes of subject, resource, action, and environment
|
|
6
|
+
* - Supports logical operators (AND, OR, NOT) for complex conditions
|
|
7
|
+
* - Supports comparison operators (equals, not_equals, in, not_in, contains, matches, gt, lt, gte, lte, between)
|
|
8
|
+
* - Supports attribute-to-attribute comparison via `valueRef` (e.g., resource.owner == subject.sub)
|
|
9
|
+
* - Integrates with AuthIdentity claims and RBAC roles
|
|
10
|
+
* - JSON-serializable policies for persistence and external management
|
|
11
|
+
*
|
|
12
|
+
* @example
|
|
13
|
+
* ```typescript
|
|
14
|
+
* const engine = new ABACEngine();
|
|
15
|
+
*
|
|
16
|
+
* engine.addPolicy({
|
|
17
|
+
* id: "work-hours-only",
|
|
18
|
+
* description: "Allow workflow execution only during business hours",
|
|
19
|
+
* effect: "allow",
|
|
20
|
+
* target: {
|
|
21
|
+
* resource: "workflow",
|
|
22
|
+
* actions: ["execute"],
|
|
23
|
+
* },
|
|
24
|
+
* conditions: {
|
|
25
|
+
* all: [
|
|
26
|
+
* { attribute: "environment.hour", operator: "gte", value: 9 },
|
|
27
|
+
* { attribute: "environment.hour", operator: "lt", value: 17 },
|
|
28
|
+
* { attribute: "subject.department", operator: "equals", value: "engineering" },
|
|
29
|
+
* ],
|
|
30
|
+
* },
|
|
31
|
+
* });
|
|
32
|
+
*
|
|
33
|
+
* const result = engine.evaluate({
|
|
34
|
+
* subject: { sub: "user-1", roles: ["developer"], department: "engineering" },
|
|
35
|
+
* resource: { type: "workflow", id: "/api/users" },
|
|
36
|
+
* action: "execute",
|
|
37
|
+
* environment: { hour: 14, ip: "10.0.0.1" },
|
|
38
|
+
* });
|
|
39
|
+
* ```
|
|
40
|
+
*/
|
|
41
|
+
// ────────────────────────────── Engine ──────────────────────────────
|
|
42
|
+
export class ABACEngine {
|
|
43
|
+
policies = new Map();
|
|
44
|
+
defaultEffect = "deny";
|
|
45
|
+
constructor(options) {
|
|
46
|
+
if (options?.defaultEffect) {
|
|
47
|
+
this.defaultEffect = options.defaultEffect;
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
/**
|
|
51
|
+
* Add or update a policy.
|
|
52
|
+
*/
|
|
53
|
+
addPolicy(policy) {
|
|
54
|
+
this.policies.set(policy.id, policy);
|
|
55
|
+
}
|
|
56
|
+
/**
|
|
57
|
+
* Remove a policy by ID.
|
|
58
|
+
*/
|
|
59
|
+
removePolicy(id) {
|
|
60
|
+
this.policies.delete(id);
|
|
61
|
+
}
|
|
62
|
+
/**
|
|
63
|
+
* Get a policy by ID.
|
|
64
|
+
*/
|
|
65
|
+
getPolicy(id) {
|
|
66
|
+
return this.policies.get(id);
|
|
67
|
+
}
|
|
68
|
+
/**
|
|
69
|
+
* Get all policies, sorted by priority (highest first).
|
|
70
|
+
*/
|
|
71
|
+
getPolicies() {
|
|
72
|
+
return Array.from(this.policies.values()).sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
|
|
73
|
+
}
|
|
74
|
+
/**
|
|
75
|
+
* Evaluate an access request against all policies.
|
|
76
|
+
*
|
|
77
|
+
* Policy evaluation order:
|
|
78
|
+
* 1. Policies are sorted by priority (highest first)
|
|
79
|
+
* 2. Only enabled policies are considered
|
|
80
|
+
* 3. Only policies whose target matches the request are considered
|
|
81
|
+
* 4. The first matching "deny" policy short-circuits with denial
|
|
82
|
+
* 5. Otherwise, at least one matching "allow" policy is required
|
|
83
|
+
* 6. If no policy matches, the default effect applies
|
|
84
|
+
*/
|
|
85
|
+
evaluate(request) {
|
|
86
|
+
const sortedPolicies = this.getPolicies();
|
|
87
|
+
const evaluatedPolicies = [];
|
|
88
|
+
let hasAllow = false;
|
|
89
|
+
let allowPolicy;
|
|
90
|
+
for (const policy of sortedPolicies) {
|
|
91
|
+
// Skip disabled policies
|
|
92
|
+
if (policy.enabled === false)
|
|
93
|
+
continue;
|
|
94
|
+
// Check if policy target matches the request
|
|
95
|
+
if (!this.matchesTarget(policy.target, request)) {
|
|
96
|
+
evaluatedPolicies.push({ policyId: policy.id, effect: policy.effect, matched: false });
|
|
97
|
+
continue;
|
|
98
|
+
}
|
|
99
|
+
// Evaluate conditions
|
|
100
|
+
const conditionsMet = this.evaluateConditionGroup(policy.conditions, request);
|
|
101
|
+
evaluatedPolicies.push({ policyId: policy.id, effect: policy.effect, matched: conditionsMet });
|
|
102
|
+
if (conditionsMet) {
|
|
103
|
+
// Deny takes precedence — short-circuit
|
|
104
|
+
if (policy.effect === "deny") {
|
|
105
|
+
return {
|
|
106
|
+
allowed: false,
|
|
107
|
+
matchedPolicy: policy,
|
|
108
|
+
evaluatedPolicies,
|
|
109
|
+
reason: `Denied by policy '${policy.id}'${policy.description ? `: ${policy.description}` : ""}`,
|
|
110
|
+
};
|
|
111
|
+
}
|
|
112
|
+
// Track the first matching allow
|
|
113
|
+
if (!hasAllow) {
|
|
114
|
+
hasAllow = true;
|
|
115
|
+
allowPolicy = policy;
|
|
116
|
+
}
|
|
117
|
+
}
|
|
118
|
+
}
|
|
119
|
+
if (hasAllow && allowPolicy) {
|
|
120
|
+
return {
|
|
121
|
+
allowed: true,
|
|
122
|
+
matchedPolicy: allowPolicy,
|
|
123
|
+
evaluatedPolicies,
|
|
124
|
+
reason: `Allowed by policy '${allowPolicy.id}'${allowPolicy.description ? `: ${allowPolicy.description}` : ""}`,
|
|
125
|
+
};
|
|
126
|
+
}
|
|
127
|
+
// No matching policy — use default
|
|
128
|
+
const allowed = this.defaultEffect === "allow";
|
|
129
|
+
return {
|
|
130
|
+
allowed,
|
|
131
|
+
evaluatedPolicies,
|
|
132
|
+
reason: allowed ? "No matching policy; default effect is allow" : "No matching policy; default effect is deny",
|
|
133
|
+
};
|
|
134
|
+
}
|
|
135
|
+
/**
|
|
136
|
+
* Export all policies as JSON.
|
|
137
|
+
*/
|
|
138
|
+
toJSON() {
|
|
139
|
+
return {
|
|
140
|
+
policies: Array.from(this.policies.values()),
|
|
141
|
+
defaultEffect: this.defaultEffect,
|
|
142
|
+
};
|
|
143
|
+
}
|
|
144
|
+
/**
|
|
145
|
+
* Load policies from JSON (replaces all existing policies).
|
|
146
|
+
*/
|
|
147
|
+
fromJSON(config) {
|
|
148
|
+
this.policies.clear();
|
|
149
|
+
for (const policy of config.policies) {
|
|
150
|
+
this.policies.set(policy.id, policy);
|
|
151
|
+
}
|
|
152
|
+
if (config.defaultEffect) {
|
|
153
|
+
this.defaultEffect = config.defaultEffect;
|
|
154
|
+
}
|
|
155
|
+
}
|
|
156
|
+
// ──────────────────── Target Matching ────────────────────
|
|
157
|
+
matchesTarget(target, request) {
|
|
158
|
+
if (!target)
|
|
159
|
+
return true;
|
|
160
|
+
// Check resource type
|
|
161
|
+
if (target.resource && target.resource !== "*") {
|
|
162
|
+
if (target.resource !== request.resource.type)
|
|
163
|
+
return false;
|
|
164
|
+
}
|
|
165
|
+
// Check resource pattern
|
|
166
|
+
if (target.resourcePattern) {
|
|
167
|
+
if (!this.matchesPattern(request.resource.id, target.resourcePattern))
|
|
168
|
+
return false;
|
|
169
|
+
}
|
|
170
|
+
// Check action
|
|
171
|
+
if (target.actions && target.actions.length > 0) {
|
|
172
|
+
if (!target.actions.includes(request.action) && !target.actions.includes("*"))
|
|
173
|
+
return false;
|
|
174
|
+
}
|
|
175
|
+
return true;
|
|
176
|
+
}
|
|
177
|
+
// ──────────────────── Condition Evaluation ────────────────────
|
|
178
|
+
evaluateConditionGroup(group, request) {
|
|
179
|
+
// A group with no clauses is treated as "always true"
|
|
180
|
+
const hasAny = group.all || group.any || group.none;
|
|
181
|
+
if (!hasAny)
|
|
182
|
+
return true;
|
|
183
|
+
// ALL: every item must be true
|
|
184
|
+
if (group.all) {
|
|
185
|
+
for (const item of group.all) {
|
|
186
|
+
if (!this.evaluateItem(item, request))
|
|
187
|
+
return false;
|
|
188
|
+
}
|
|
189
|
+
}
|
|
190
|
+
// ANY: at least one must be true
|
|
191
|
+
if (group.any) {
|
|
192
|
+
let anyTrue = false;
|
|
193
|
+
for (const item of group.any) {
|
|
194
|
+
if (this.evaluateItem(item, request)) {
|
|
195
|
+
anyTrue = true;
|
|
196
|
+
break;
|
|
197
|
+
}
|
|
198
|
+
}
|
|
199
|
+
if (!anyTrue)
|
|
200
|
+
return false;
|
|
201
|
+
}
|
|
202
|
+
// NONE: no item may be true
|
|
203
|
+
if (group.none) {
|
|
204
|
+
for (const item of group.none) {
|
|
205
|
+
if (this.evaluateItem(item, request))
|
|
206
|
+
return false;
|
|
207
|
+
}
|
|
208
|
+
}
|
|
209
|
+
return true;
|
|
210
|
+
}
|
|
211
|
+
evaluateItem(item, request) {
|
|
212
|
+
// Distinguish condition from group: conditions have "attribute"
|
|
213
|
+
if ("attribute" in item) {
|
|
214
|
+
return this.evaluateCondition(item, request);
|
|
215
|
+
}
|
|
216
|
+
return this.evaluateConditionGroup(item, request);
|
|
217
|
+
}
|
|
218
|
+
evaluateCondition(condition, request) {
|
|
219
|
+
const attributeValue = this.resolveAttribute(condition.attribute, request);
|
|
220
|
+
// If valueRef is set, resolve the comparison value from another attribute
|
|
221
|
+
const comparisonValue = condition.valueRef ? this.resolveAttribute(condition.valueRef, request) : condition.value;
|
|
222
|
+
return this.compare(attributeValue, condition.operator, comparisonValue);
|
|
223
|
+
}
|
|
224
|
+
// ──────────────────── Attribute Resolution ────────────────────
|
|
225
|
+
resolveAttribute(path, request) {
|
|
226
|
+
const segments = path.split(".");
|
|
227
|
+
if (segments.length === 0)
|
|
228
|
+
return undefined;
|
|
229
|
+
const root = segments[0];
|
|
230
|
+
const rest = segments.slice(1);
|
|
231
|
+
let obj;
|
|
232
|
+
switch (root) {
|
|
233
|
+
case "subject":
|
|
234
|
+
obj = request.subject;
|
|
235
|
+
break;
|
|
236
|
+
case "resource":
|
|
237
|
+
obj = request.resource;
|
|
238
|
+
break;
|
|
239
|
+
case "action":
|
|
240
|
+
// "action" with no sub-path resolves to the action string itself
|
|
241
|
+
return rest.length === 0 ? request.action : undefined;
|
|
242
|
+
case "environment":
|
|
243
|
+
obj = request.environment;
|
|
244
|
+
break;
|
|
245
|
+
default:
|
|
246
|
+
return undefined;
|
|
247
|
+
}
|
|
248
|
+
// Traverse the rest of the path
|
|
249
|
+
for (const segment of rest) {
|
|
250
|
+
if (obj === null || obj === undefined)
|
|
251
|
+
return undefined;
|
|
252
|
+
if (typeof obj === "object") {
|
|
253
|
+
obj = obj[segment];
|
|
254
|
+
}
|
|
255
|
+
else {
|
|
256
|
+
return undefined;
|
|
257
|
+
}
|
|
258
|
+
}
|
|
259
|
+
return obj;
|
|
260
|
+
}
|
|
261
|
+
// ──────────────────── Comparison Operators ────────────────────
|
|
262
|
+
compare(actual, operator, expected) {
|
|
263
|
+
switch (operator) {
|
|
264
|
+
case "equals":
|
|
265
|
+
return actual === expected;
|
|
266
|
+
case "not_equals":
|
|
267
|
+
return actual !== expected;
|
|
268
|
+
case "in":
|
|
269
|
+
return Array.isArray(expected) && expected.includes(actual);
|
|
270
|
+
case "not_in":
|
|
271
|
+
return Array.isArray(expected) && !expected.includes(actual);
|
|
272
|
+
case "contains":
|
|
273
|
+
if (Array.isArray(actual))
|
|
274
|
+
return actual.includes(expected);
|
|
275
|
+
if (typeof actual === "string" && typeof expected === "string")
|
|
276
|
+
return actual.includes(expected);
|
|
277
|
+
return false;
|
|
278
|
+
case "not_contains":
|
|
279
|
+
if (Array.isArray(actual))
|
|
280
|
+
return !actual.includes(expected);
|
|
281
|
+
if (typeof actual === "string" && typeof expected === "string")
|
|
282
|
+
return !actual.includes(expected);
|
|
283
|
+
return true;
|
|
284
|
+
case "matches":
|
|
285
|
+
if (typeof actual !== "string" || typeof expected !== "string")
|
|
286
|
+
return false;
|
|
287
|
+
try {
|
|
288
|
+
return new RegExp(expected).test(actual);
|
|
289
|
+
}
|
|
290
|
+
catch {
|
|
291
|
+
return false;
|
|
292
|
+
}
|
|
293
|
+
case "gt":
|
|
294
|
+
return typeof actual === "number" && typeof expected === "number" && actual > expected;
|
|
295
|
+
case "lt":
|
|
296
|
+
return typeof actual === "number" && typeof expected === "number" && actual < expected;
|
|
297
|
+
case "gte":
|
|
298
|
+
return typeof actual === "number" && typeof expected === "number" && actual >= expected;
|
|
299
|
+
case "lte":
|
|
300
|
+
return typeof actual === "number" && typeof expected === "number" && actual <= expected;
|
|
301
|
+
case "between": {
|
|
302
|
+
if (typeof actual !== "number")
|
|
303
|
+
return false;
|
|
304
|
+
if (!Array.isArray(expected) || expected.length !== 2)
|
|
305
|
+
return false;
|
|
306
|
+
const [low, high] = expected;
|
|
307
|
+
return typeof low === "number" && typeof high === "number" && actual >= low && actual <= high;
|
|
308
|
+
}
|
|
309
|
+
case "exists":
|
|
310
|
+
return actual !== undefined && actual !== null;
|
|
311
|
+
case "not_exists":
|
|
312
|
+
return actual === undefined || actual === null;
|
|
313
|
+
default:
|
|
314
|
+
return false;
|
|
315
|
+
}
|
|
316
|
+
}
|
|
317
|
+
// ──────────────────── Utility ────────────────────
|
|
318
|
+
matchesPattern(value, pattern) {
|
|
319
|
+
if (pattern === "*")
|
|
320
|
+
return true;
|
|
321
|
+
const regexStr = pattern.replace(/\*/g, ".*").replace(/\?/g, ".");
|
|
322
|
+
const regex = new RegExp(`^${regexStr}$`);
|
|
323
|
+
return regex.test(value);
|
|
324
|
+
}
|
|
325
|
+
}
|
|
326
|
+
/**
|
|
327
|
+
* Create a preconfigured ABAC engine with common policies.
|
|
328
|
+
*/
|
|
329
|
+
export function createDefaultABAC() {
|
|
330
|
+
const engine = new ABACEngine();
|
|
331
|
+
// Policy: Admin override — admins always get access
|
|
332
|
+
engine.addPolicy({
|
|
333
|
+
id: "admin-override",
|
|
334
|
+
description: "Admin role bypasses all attribute checks",
|
|
335
|
+
effect: "allow",
|
|
336
|
+
priority: 1000,
|
|
337
|
+
conditions: {
|
|
338
|
+
any: [{ attribute: "subject.roles", operator: "contains", value: "admin" }],
|
|
339
|
+
},
|
|
340
|
+
});
|
|
341
|
+
// Policy: Deny access from blocked IPs
|
|
342
|
+
engine.addPolicy({
|
|
343
|
+
id: "block-denied-ips",
|
|
344
|
+
description: "Deny access from blocked IP ranges",
|
|
345
|
+
effect: "deny",
|
|
346
|
+
priority: 900,
|
|
347
|
+
conditions: {
|
|
348
|
+
any: [{ attribute: "environment.blocked", operator: "equals", value: true }],
|
|
349
|
+
},
|
|
350
|
+
});
|
|
351
|
+
// Policy: Allow service accounts to execute workflows
|
|
352
|
+
engine.addPolicy({
|
|
353
|
+
id: "service-execute",
|
|
354
|
+
description: "Service accounts can execute workflows",
|
|
355
|
+
effect: "allow",
|
|
356
|
+
priority: 100,
|
|
357
|
+
target: {
|
|
358
|
+
resource: "workflow",
|
|
359
|
+
actions: ["execute"],
|
|
360
|
+
},
|
|
361
|
+
conditions: {
|
|
362
|
+
all: [{ attribute: "subject.roles", operator: "contains", value: "service" }],
|
|
363
|
+
},
|
|
364
|
+
});
|
|
365
|
+
// Policy: Resource owner full access (attribute-to-attribute comparison)
|
|
366
|
+
engine.addPolicy({
|
|
367
|
+
id: "resource-owner-access",
|
|
368
|
+
description: "Resource owners have full access to their resources",
|
|
369
|
+
effect: "allow",
|
|
370
|
+
priority: 500,
|
|
371
|
+
conditions: {
|
|
372
|
+
all: [
|
|
373
|
+
{ attribute: "resource.owner", operator: "exists" },
|
|
374
|
+
{ attribute: "resource.owner", operator: "equals", valueRef: "subject.sub" },
|
|
375
|
+
],
|
|
376
|
+
},
|
|
377
|
+
});
|
|
378
|
+
return engine;
|
|
379
|
+
}
|
|
380
|
+
//# sourceMappingURL=ABAC.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ABAC.js","sourceRoot":"","sources":["../../src/security/ABAC.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAqJH,uEAAuE;AAEvE,MAAM,OAAO,UAAU;IACd,QAAQ,GAA4B,IAAI,GAAG,EAAE,CAAC;IAC9C,aAAa,GAAe,MAAM,CAAC;IAE3C,YAAY,OAAwC;QACnD,IAAI,OAAO,EAAE,aAAa,EAAE,CAAC;YAC5B,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;QAC5C,CAAC;IACF,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,MAAkB;QAC3B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,EAAU;QACtB,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,EAAU;QACnB,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC9B,CAAC;IAED;;OAEG;IACH,WAAW;QACV,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC;IACjG,CAAC;IAED;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,OAAoB;QAC5B,MAAM,cAAc,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QAC1C,MAAM,iBAAiB,GAAoC,EAAE,CAAC;QAE9D,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,IAAI,WAAmC,CAAC;QAExC,KAAK,MAAM,MAAM,IAAI,cAAc,EAAE,CAAC;YACrC,yBAAyB;YACzB,IAAI,MAAM,CAAC,OAAO,KAAK,KAAK;gBAAE,SAAS;YAEvC,6CAA6C;YAC7C,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;gBACjD,iBAAiB,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;gBACvF,SAAS;YACV,CAAC;YAED,sBAAsB;YACtB,MAAM,aAAa,GAAG,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAC9E,iBAAiB,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC,CAAC;YAE/F,IAAI,aAAa,EAAE,CAAC;gBACnB,wCAAwC;gBACxC,IAAI,MAAM,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;oBAC9B,OAAO;wBACN,OAAO,EAAE,KAAK;wBACd,aAAa,EAAE,MAAM;wBACrB,iBAAiB;wBACjB,MAAM,EAAE,qBAAqB,MAAM,CAAC,EAAE,IAAI,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE;qBAC/F,CAAC;gBACH,CAAC;gBAED,iCAAiC;gBACjC,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACf,QAAQ,GAAG,IAAI,CAAC;oBAChB,WAAW,GAAG,MAAM,CAAC;gBACtB,CAAC;YACF,CAAC;QACF,CAAC;QAED,IAAI,QAAQ,IAAI,WAAW,EAAE,CAAC;YAC7B,OAAO;gBACN,OAAO,EAAE,IAAI;gBACb,aAAa,EAAE,WAAW;gBAC1B,iBAAiB;gBACjB,MAAM,EAAE,sBAAsB,WAAW,CAAC,EAAE,IAAI,WAAW,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,WAAW,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE;aAC/G,CAAC;QACH,CAAC;QAED,mCAAmC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,KAAK,OAAO,CAAC;QAC/C,OAAO;YACN,OAAO;YACP,iBAAiB;YACjB,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,6CAA6C,CAAC,CAAC,CAAC,4CAA4C;SAC9G,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM;QACL,OAAO;YACN,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;YAC5C,aAAa,EAAE,IAAI,CAAC,aAAa;SACjC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,MAA8D;QACtE,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;QACtB,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QACtC,CAAC;QACD,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YAC1B,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;QAC3C,CAAC;IACF,CAAC;IAED,4DAA4D;IAEpD,aAAa,CAAC,MAAoC,EAAE,OAAoB;QAC/E,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,sBAAsB;QACtB,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;YAChD,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,CAAC,QAAQ,CAAC,IAAI;gBAAE,OAAO,KAAK,CAAC;QAC7D,CAAC;QAED,yBAAyB;QACzB,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC,eAAe,CAAC;gBAAE,OAAO,KAAK,CAAC;QACrF,CAAC;QAED,eAAe;QACf,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjD,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAAE,OAAO,KAAK,CAAC;QAC7F,CAAC;QAED,OAAO,IAAI,CAAC;IACb,CAAC;IAED,iEAAiE;IAEzD,sBAAsB,CAAC,KAAyB,EAAE,OAAoB;QAC7E,sDAAsD;QACtD,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,IAAI,KAAK,CAAC,GAAG,IAAI,KAAK,CAAC,IAAI,CAAC;QACpD,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,+BAA+B;QAC/B,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;YACf,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;gBAC9B,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC;oBAAE,OAAO,KAAK,CAAC;YACrD,CAAC;QACF,CAAC;QAED,iCAAiC;QACjC,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;YACf,IAAI,OAAO,GAAG,KAAK,CAAC;YACpB,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;gBAC9B,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;oBACtC,OAAO,GAAG,IAAI,CAAC;oBACf,MAAM;gBACP,CAAC;YACF,CAAC;YACD,IAAI,CAAC,OAAO;gBAAE,OAAO,KAAK,CAAC;QAC5B,CAAC;QAED,4BAA4B;QAC5B,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;YAChB,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;gBAC/B,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC;oBAAE,OAAO,KAAK,CAAC;YACpD,CAAC;QACF,CAAC;QAED,OAAO,IAAI,CAAC;IACb,CAAC;IAEO,YAAY,CAAC,IAAwC,EAAE,OAAoB;QAClF,gEAAgE;QAChE,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,iBAAiB,CAAC,IAAqB,EAAE,OAAO,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,IAAI,CAAC,sBAAsB,CAAC,IAA0B,EAAE,OAAO,CAAC,CAAC;IACzE,CAAC;IAEO,iBAAiB,CAAC,SAAwB,EAAE,OAAoB;QACvE,MAAM,cAAc,GAAG,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAC3E,0EAA0E;QAC1E,MAAM,eAAe,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC;QAClH,OAAO,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,SAAS,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAC1E,CAAC;IAED,iEAAiE;IAEzD,gBAAgB,CAAC,IAAY,EAAE,OAAoB;QAC1D,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,SAAS,CAAC;QAE5C,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAE/B,IAAI,GAAY,CAAC;QACjB,QAAQ,IAAI,EAAE,CAAC;YACd,KAAK,SAAS;gBACb,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC;gBACtB,MAAM;YACP,KAAK,UAAU;gBACd,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC;gBACvB,MAAM;YACP,KAAK,QAAQ;gBACZ,iEAAiE;gBACjE,OAAO,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;YACvD,KAAK,aAAa;gBACjB,GAAG,GAAG,OAAO,CAAC,WAAW,CAAC;gBAC1B,MAAM;YACP;gBACC,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,gCAAgC;QAChC,KAAK,MAAM,OAAO,IAAI,IAAI,EAAE,CAAC;YAC5B,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS;gBAAE,OAAO,SAAS,CAAC;YACxD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC7B,GAAG,GAAI,GAA+B,CAAC,OAAO,CAAC,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACP,OAAO,SAAS,CAAC;YAClB,CAAC;QACF,CAAC;QAED,OAAO,GAAG,CAAC;IACZ,CAAC;IAED,iEAAiE;IAEzD,OAAO,CAAC,MAAe,EAAE,QAAsB,EAAE,QAAiB;QACzE,QAAQ,QAAQ,EAAE,CAAC;YAClB,KAAK,QAAQ;gBACZ,OAAO,MAAM,KAAK,QAAQ,CAAC;YAE5B,KAAK,YAAY;gBAChB,OAAO,MAAM,KAAK,QAAQ,CAAC;YAE5B,KAAK,IAAI;gBACR,OAAO,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAE7D,KAAK,QAAQ;gBACZ,OAAO,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAE9D,KAAK,UAAU;gBACd,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;oBAAE,OAAO,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBAC5D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ;oBAAE,OAAO,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBACjG,OAAO,KAAK,CAAC;YAEd,KAAK,cAAc;gBAClB,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;oBAAE,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBAC7D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ;oBAAE,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBAClG,OAAO,IAAI,CAAC;YAEb,KAAK,SAAS;gBACb,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ;oBAAE,OAAO,KAAK,CAAC;gBAC7E,IAAI,CAAC;oBACJ,OAAO,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBAC1C,CAAC;gBAAC,MAAM,CAAC;oBACR,OAAO,KAAK,CAAC;gBACd,CAAC;YAEF,KAAK,IAAI;gBACR,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,MAAM,GAAG,QAAQ,CAAC;YAExF,KAAK,IAAI;gBACR,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,MAAM,GAAG,QAAQ,CAAC;YAExF,KAAK,KAAK;gBACT,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,MAAM,IAAI,QAAQ,CAAC;YAEzF,KAAK,KAAK;gBACT,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,MAAM,IAAI,QAAQ,CAAC;YAEzF,KAAK,SAAS,CAAC,CAAC,CAAC;gBAChB,IAAI,OAAO,MAAM,KAAK,QAAQ;oBAAE,OAAO,KAAK,CAAC;gBAC7C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO,KAAK,CAAC;gBACpE,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,QAA4B,CAAC;gBACjD,OAAO,OAAO,GAAG,KAAK,QAAQ,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,MAAM,IAAI,GAAG,IAAI,MAAM,IAAI,IAAI,CAAC;YAC/F,CAAC;YAED,KAAK,QAAQ;gBACZ,OAAO,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,IAAI,CAAC;YAEhD,KAAK,YAAY;gBAChB,OAAO,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,IAAI,CAAC;YAEhD;gBACC,OAAO,KAAK,CAAC;QACf,CAAC;IACF,CAAC;IAED,oDAAoD;IAE5C,cAAc,CAAC,KAAa,EAAE,OAAe;QACpD,IAAI,OAAO,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QACjC,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAClE,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC;QAC1C,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1B,CAAC;CACD;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAChC,MAAM,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;IAEhC,oDAAoD;IACpD,MAAM,CAAC,SAAS,CAAC;QAChB,EAAE,EAAE,gBAAgB;QACpB,WAAW,EAAE,0CAA0C;QACvD,MAAM,EAAE,OAAO;QACf,QAAQ,EAAE,IAAI;QACd,UAAU,EAAE;YACX,GAAG,EAAE,CAAC,EAAE,SAAS,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;SAC3E;KACD,CAAC,CAAC;IAEH,uCAAuC;IACvC,MAAM,CAAC,SAAS,CAAC;QAChB,EAAE,EAAE,kBAAkB;QACtB,WAAW,EAAE,oCAAoC;QACjD,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,GAAG;QACb,UAAU,EAAE;YACX,GAAG,EAAE,CAAC,EAAE,SAAS,EAAE,qBAAqB,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;SAC5E;KACD,CAAC,CAAC;IAEH,sDAAsD;IACtD,MAAM,CAAC,SAAS,CAAC;QAChB,EAAE,EAAE,iBAAiB;QACrB,WAAW,EAAE,wCAAwC;QACrD,MAAM,EAAE,OAAO;QACf,QAAQ,EAAE,GAAG;QACb,MAAM,EAAE;YACP,QAAQ,EAAE,UAAU;YACpB,OAAO,EAAE,CAAC,SAAS,CAAC;SACpB;QACD,UAAU,EAAE;YACX,GAAG,EAAE,CAAC,EAAE,SAAS,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;SAC7E;KACD,CAAC,CAAC;IAEH,yEAAyE;IACzE,MAAM,CAAC,SAAS,CAAC;QAChB,EAAE,EAAE,uBAAuB;QAC3B,WAAW,EAAE,qDAAqD;QAClE,MAAM,EAAE,OAAO;QACf,QAAQ,EAAE,GAAG;QACb,UAAU,EAAE;YACX,GAAG,EAAE;gBACJ,EAAE,SAAS,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAQ,EAAE;gBACnD,EAAE,SAAS,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE;aAC5E;SACD;KACD,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AACf,CAAC"}
|