npm - @checkstack/common - Versions diffs - 0.14.1 → 0.15.0 - Mend

@checkstack/common 0.14.1 → 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,51 @@
 # @checkstack/common
+## 0.15.0
+### Minor Changes
+- 56e7c75: Fix frontend access checks to use FULLY-QUALIFIED access-rule ids, and resolve
+  the anonymous role on the frontend.
+  Granted access-rule ids are stored fully-qualified as `{pluginId}.{ruleId}` (e.g.
+  `incident.incident.read`) so two plugins defining the same short rule id never
+  collide. The frontend, however, was checking the UNqualified id (`incident.read`)
+  via `isAccessRuleSatisfied`, so every check failed for any user without the `*`
+  (admin) grant - masked in development because dev-auth grants `*`. This silently
+  broke ALL non-admin frontend gating (route guards, sidebar entries, and
+  `useAccess`-based button/link gating).
+  - **`@checkstack/common`**: `AccessRule` now carries a REQUIRED owning `pluginId`;
+    `access()` / `accessPair()` require and stamp it; `isAccessRuleSatisfied`
+    qualifies the rule (`{pluginId}.{id}`, plus the manage->read escalation) and
+    matches ONLY the qualified form. There is intentionally NO unqualified fallback
+    - matching a bare id would let one plugin's grant satisfy another plugin's
+      identically-named rule (a cross-plugin privilege-escalation flaw). Every plugin
+      that defines access rules now passes its own `pluginId`.
+  - **`@checkstack/backend`**: `pluginManager.getAllAccessRules()` no longer strips
+    the `pluginId` field (the rule `id` is already fully-qualified for the DB sync).
+  - **Route guard** (`@checkstack/frontend` / `@checkstack/frontend-api`) now
+    checks the FULL rule object (so it qualifies and escalates), not a bare id.
+  - **Anonymous role on the frontend**: the `accessRules` procedure is now
+    `public`, returning the configurable anonymous role's grants to unauthenticated
+    callers; `useAccessRules` fetches them for guests instead of returning an empty
+    set. So anonymous UI now reflects exactly what the anonymous role is allowed -
+    which an admin can change (`isPublic` is only the seeded default).
+  - Incident / maintenance / SLO detail routes are now read-gated (their read rule
+    is an `isPublic` default, so the anonymous role holds it unless an admin
+    revokes it); their dashboard status signals carry that rule and render as a
+    link only when the viewer may open it.
+  **BREAKING (`@checkstack/common`):** `AccessRule.pluginId` is now REQUIRED, and
+  `access()` / `accessPair()` require a `pluginId` option. `isAccessRuleSatisfied`
+  matches ONLY the fully-qualified `{pluginId}.{ruleId}` form - the previous
+  unqualified fallback is removed, because it was a cross-plugin
+  privilege-escalation flaw. Any code constructing an `AccessRule` or calling
+  `access()`/`accessPair()` must supply the owning `pluginId`.
+  Verified live against an anonymous caller: read pages resolve (qualified match),
+  manage actions are denied, manage->read escalation and `*` still work.
 ## 0.14.1
 ### Patch Changes

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/common",
-  "version": "0.14.1",
+  "version": "0.15.0",
   "license": "Elastic-2.0",
   "type": "module",
   "main": "./src/index.ts",
@@ -20,7 +20,7 @@
   "devDependencies": {
     "typescript": "^5.7.2",
     "@checkstack/tsconfig": "0.0.7",
-    "@checkstack/scripts": "0.4.2"
+    "@checkstack/scripts": "0.6.1"
   },
   "scripts": {
     "typecheck": "tsgo -b",

package/src/access-utils.test.ts ADDED Viewed

@@ -0,0 +1,71 @@
+import { describe, expect, test } from "bun:test";
+import { access, accessPair, isAccessRuleSatisfied } from "./access-utils";
+describe("isAccessRuleSatisfied - qualified ids", () => {
+  // Granted ids are stored fully-qualified (`{pluginId}.{ruleId}`); rules carry
+  // their owning pluginId so the check qualifies before matching. This prevents
+  // collisions when two plugins define the same short rule id.
+  const incidentRead = access("incident", "read", "", { pluginId: "incident" });
+  const incidentManage = access("incident", "manage", "", {
+    pluginId: "incident",
+  });
+  test("matches a qualified granted id", () => {
+    expect(
+      isAccessRuleSatisfied(["incident.incident.read"], incidentRead),
+    ).toBe(true);
+  });
+  test("does NOT match the unqualified id when a pluginId is set", () => {
+    // The whole point: a bare "incident.read" grant must not satisfy a rule that
+    // belongs to the "incident" plugin (collision safety).
+    expect(isAccessRuleSatisfied(["incident.read"], incidentRead)).toBe(false);
+  });
+  test("does not collide across plugins with the same short id", () => {
+    // Plugin A granted; plugin B's identically-named rule must NOT be satisfied.
+    const ruleA = access("thing", "read", "", { pluginId: "plugin-a" });
+    const ruleB = access("thing", "read", "", { pluginId: "plugin-b" });
+    const granted = ["plugin-a.thing.read"];
+    expect(isAccessRuleSatisfied(granted, ruleA)).toBe(true);
+    expect(isAccessRuleSatisfied(granted, ruleB)).toBe(false);
+  });
+  test("manage grant escalates to read (qualified)", () => {
+    expect(
+      isAccessRuleSatisfied(["incident.incident.manage"], incidentRead),
+    ).toBe(true);
+  });
+  test("read grant does NOT escalate to manage", () => {
+    expect(
+      isAccessRuleSatisfied(["incident.incident.read"], incidentManage),
+    ).toBe(false);
+  });
+  test("wildcard satisfies anything", () => {
+    expect(isAccessRuleSatisfied(["*"], incidentManage)).toBe(true);
+  });
+  test("accessPair stamps pluginId on both levels", () => {
+    const pair = accessPair(
+      "system",
+      { read: { description: "" }, manage: { description: "" } },
+      { pluginId: "catalog" },
+    );
+    expect(pair.read.pluginId).toBe("catalog");
+    expect(pair.manage.pluginId).toBe("catalog");
+    expect(isAccessRuleSatisfied(["catalog.system.read"], pair.read)).toBe(true);
+    expect(isAccessRuleSatisfied(["catalog.system.manage"], pair.read)).toBe(
+      true,
+    ); // escalation
+  });
+  test("only the qualified form is ever matched (no unqualified fallback)", () => {
+    const rule = access("teams", "read", "", { pluginId: "auth" });
+    expect(isAccessRuleSatisfied(["auth.teams.read"], rule)).toBe(true);
+    // A bare, unqualified grant must NEVER satisfy a qualified rule.
+    expect(isAccessRuleSatisfied(["teams.read"], rule)).toBe(false);
+    expect(isAccessRuleSatisfied([], rule)).toBe(false);
+  });
+});

package/src/access-utils.ts CHANGED Viewed

@@ -69,6 +69,16 @@ export interface AccessRule {
    */
   readonly resource: string;
+  /**
+   * The id of the plugin that OWNS this rule. REQUIRED: granted access-rule ids
+   * are stored fully-qualified as `{pluginId}.{id}` (e.g. `incident.incident.read`)
+   * so the same short id from two plugins never collides, and access checks ONLY
+   * ever compare the qualified form. There is intentionally NO unqualified
+   * fallback - matching a bare id would be a privilege-escalation flaw across
+   * plugins. Set by the *-common access definitions via `pluginMetadata.pluginId`.
+   */
+  readonly pluginId: string;
   /**
    * The access level this rule grants: "read" or "manage".
    * Directly maps to canRead/canManage in team grants.
@@ -135,12 +145,16 @@ export function qualifyAccessRuleId(
  */
 export function isAccessRuleSatisfied(
   grantedRuleIds: readonly string[],
-  rule: Pick<AccessRule, "id" | "resource" | "level">,
+  rule: Pick<AccessRule, "id" | "resource" | "level" | "pluginId">,
 ): boolean {
   if (grantedRuleIds.includes("*")) return true;
-  if (grantedRuleIds.includes(rule.id)) return true;
+  // Granted ids are ALWAYS fully-qualified (`{pluginId}.{id}`). We match ONLY the
+  // qualified form - never the bare id - so one plugin's grant can never satisfy
+  // another plugin's identically-named rule (a cross-plugin escalation flaw).
+  const qualify = (id: string): string => `${rule.pluginId}.${id}`;
+  if (grantedRuleIds.includes(qualify(rule.id))) return true;
   if (rule.level === "read") {
-    return grantedRuleIds.includes(`${rule.resource}.manage`);
+    return grantedRuleIds.includes(qualify(`${rule.resource}.manage`));
   }
   return false;
 }
@@ -178,7 +192,9 @@ export function access(
   resource: string,
   level: AccessLevel,
   description: string,
-  options?: {
+  options: {
+    /** Owning plugin id (REQUIRED) - rules are matched only as `{pluginId}.{id}`. */
+    pluginId: string;
     idParam?: string;
     listKey?: string;
     recordKey?: string;
@@ -187,20 +203,21 @@ export function access(
   },
 ): AccessRule {
   const hasInstanceAccess =
-    options?.idParam || options?.listKey || options?.recordKey;
+    options.idParam || options.listKey || options.recordKey;
   return {
     id: `${resource}.${level}`,
     resource,
     level,
     description,
-    isDefault: options?.isDefault,
-    isPublic: options?.isPublic,
+    pluginId: options.pluginId,
+    isDefault: options.isDefault,
+    isPublic: options.isPublic,
     instanceAccess: hasInstanceAccess
       ? {
-          idParam: options?.idParam,
-          listKey: options?.listKey,
-          recordKey: options?.recordKey,
+          idParam: options.idParam,
+          listKey: options.listKey,
+          recordKey: options.recordKey,
         }
       : undefined,
   };
@@ -265,22 +282,27 @@ export function accessPair(
     read: AccessLevelConfig;
     manage: AccessLevelConfig;
   },
-  instanceAccess?: InstanceAccessConfig,
+  options: InstanceAccessConfig & {
+    /** Owning plugin id (REQUIRED) - rules are matched only as `{pluginId}.{id}`. */
+    pluginId: string;
+  },
 ): { read: AccessRule; manage: AccessRule } {
   return {
     read: access(resource, "read", levels.read.description, {
-      idParam: instanceAccess?.idParam,
-      listKey: instanceAccess?.listKey,
-      recordKey: instanceAccess?.recordKey,
+      idParam: options.idParam,
+      listKey: options.listKey,
+      recordKey: options.recordKey,
       isDefault: levels.read.isDefault,
       isPublic: levels.read.isPublic,
+      pluginId: options.pluginId,
     }),
     manage: access(resource, "manage", levels.manage.description, {
-      idParam: instanceAccess?.idParam,
+      idParam: options.idParam,
       // Note: manage doesn't typically use listKey (you don't "manage" a list in bulk)
       // but we include idParam for single-resource manage checks
       isDefault: levels.manage.isDefault,
       isPublic: levels.manage.isPublic,
+      pluginId: options.pluginId,
     }),
   };
 }