@cryptexlabs/codex-nodejs-common 0.1.15 → 0.1.19

package/src/auth/http-authz.detach-objects.guard.util.spec.ts

@@ -0,0 +1,369 @@
+import { ExecutionContext } from "@nestjs/common";
+import * as jwt from "jsonwebtoken";
+import { HttpAuthzDetachObjectsGuardUtil } from "./http-authz.detach-objects.guard.util";
+
+describe(HttpAuthzDetachObjectsGuardUtil.name, () => {
+  it("Should allow super admin to detach a group to a user", () => {
+    const token = jwt.sign(
+      {
+        scopes: [`cool-app:::any:any:any:any:any:any`],
+      },
+      "hello"
+    );
+
+    const context = {
+      switchToHttp: () => ({
+        getRequest: () => ({
+          headers: {
+            authorization: `Bearer ${token}`,
+          },
+          params: {
+            userId: "4d2114ca-24e2-43e5-bddb-d9a6688b8340",
+          },
+          body: ["680dddec-f0b9-4a01-b8b5-be725f946935"],
+        }),
+      }),
+    } as ExecutionContext;
+
+    const util = new HttpAuthzDetachObjectsGuardUtil(context);
+
+    expect(
+      util.isAuthorized(
+        "user",
+        "4d2114ca-24e2-43e5-bddb-d9a6688b8340",
+        "group",
+        ["5d549988-a3bf-49d7-91ae-aeef65a073cc"],
+        "cool-app"
+      )
+    ).toBe(true);
+  });
+
+  it("Should allow someone with permission to detach any group to a user to detach a group from the user", () => {
+    const token = jwt.sign(
+      {
+        scopes: [
+          `cool-app:::user:4d2114ca-24e2-43e5-bddb-d9a6688b8340::group:any:delete`,
+        ],
+      },
+      "hello"
+    );
+
+    const context = {
+      switchToHttp: () => ({
+        getRequest: () => ({
+          headers: {
+            authorization: `Bearer ${token}`,
+          },
+        }),
+      }),
+    } as ExecutionContext;
+
+    const util = new HttpAuthzDetachObjectsGuardUtil(context);
+
+    expect(
+      util.isAuthorized(
+        "user",
+        "4d2114ca-24e2-43e5-bddb-d9a6688b8340",
+        "group",
+        ["5d549988-a3bf-49d7-91ae-aeef65a073cc"],
+        "cool-app"
+      )
+    ).toBe(true);
+  });
+
+  it("Should allow someone with permission to do anything to any group on a user to detach a group from the user", () => {
+    const token = jwt.sign(
+      {
+        scopes: [
+          `cool-app:::user:4d2114ca-24e2-43e5-bddb-d9a6688b8340::group:any:any`,
+        ],
+      },
+      "hello"
+    );
+
+    const context = {
+      switchToHttp: () => ({
+        getRequest: () => ({
+          headers: {
+            authorization: `Bearer ${token}`,
+          },
+          params: {
+            userId: "4d2114ca-24e2-43e5-bddb-d9a6688b8340",
+          },
+          body: ["680dddec-f0b9-4a01-b8b5-be725f946935"],
+        }),
+      }),
+    } as ExecutionContext;
+
+    const util = new HttpAuthzDetachObjectsGuardUtil(context);
+
+    expect(
+      util.isAuthorized(
+        "user",
+        "4d2114ca-24e2-43e5-bddb-d9a6688b8340",
+        "group",
+        ["5d549988-a3bf-49d7-91ae-aeef65a073cc"],
+        "cool-app"
+      )
+    ).toBe(true);
+  });
+
+  it("Should allow someone with permission to do anything to any sub object for a user to detach a group from the user", () => {
+    const token = jwt.sign(
+      {
+        scopes: [
+          `cool-app:::user:4d2114ca-24e2-43e5-bddb-d9a6688b8340::any:any:any`,
+        ],
+      },
+      "hello"
+    );
+
+    const context = {
+      switchToHttp: () => ({
+        getRequest: () => ({
+          headers: {
+            authorization: `Bearer ${token}`,
+          },
+          params: {
+            userId: "4d2114ca-24e2-43e5-bddb-d9a6688b8340",
+          },
+          body: ["680dddec-f0b9-4a01-b8b5-be725f946935"],
+        }),
+      }),
+    } as ExecutionContext;
+
+    const util = new HttpAuthzDetachObjectsGuardUtil(context);
+
+    expect(
+      util.isAuthorized(
+        "user",
+        "4d2114ca-24e2-43e5-bddb-d9a6688b8340",
+        "group",
+        ["5d549988-a3bf-49d7-91ae-aeef65a073cc"],
+        "cool-app"
+      )
+    ).toBe(true);
+  });
+
+  it("Should allow someone with permission to detach a specific group to a user to detach the group to the user", () => {
+    const token = jwt.sign(
+      {
+        scopes: [
+          `cool-app:::user:4d2114ca-24e2-43e5-bddb-d9a6688b8340::group:680dddec-f0b9-4a01-b8b5-be725f946935:delete`,
+        ],
+      },
+      "hello"
+    );
+
+    const context = {
+      switchToHttp: () => ({
+        getRequest: () => ({
+          headers: {
+            authorization: `Bearer ${token}`,
+          },
+          params: {
+            userId: "4d2114ca-24e2-43e5-bddb-d9a6688b8340",
+          },
+          body: ["680dddec-f0b9-4a01-b8b5-be725f946935"],
+        }),
+      }),
+    } as ExecutionContext;
+
+    const util = new HttpAuthzDetachObjectsGuardUtil(context);
+
+    expect(
+      util.isAuthorized(
+        "user",
+        "4d2114ca-24e2-43e5-bddb-d9a6688b8340",
+        "group",
+        ["680dddec-f0b9-4a01-b8b5-be725f946935"],
+        "cool-app"
+      )
+    ).toBe(true);
+  });
+
+  it("Should not allow someone with permission to detach any group to a different user to detach a group from the user", () => {
+    const token = jwt.sign(
+      {
+        scopes: [
+          `cool-app:::user:55854a66-5a73-4416-b03a-eba4417b691c::group:any:create`,
+        ],
+      },
+      "hello"
+    );
+
+    const context = {
+      switchToHttp: () => ({
+        getRequest: () => ({
+          headers: {
+            authorization: `Bearer ${token}`,
+          },
+          params: {
+            userId: "001d4f53-798b-4a0b-8ef7-330a7bf72147",
+          },
+          body: ["680dddec-f0b9-4a01-b8b5-be725f946935"],
+        }),
+      }),
+    } as ExecutionContext;
+
+    const util = new HttpAuthzDetachObjectsGuardUtil(context);
+
+    expect(
+      util.isAuthorized(
+        "user",
+        "4d2114ca-24e2-43e5-bddb-d9a6688b8340",
+        "group",
+        ["5d549988-a3bf-49d7-91ae-aeef65a073cc"],
+        "cool-app"
+      )
+    ).toBe(false);
+  });
+
+  it("Should not allow someone with permission to do anything to a different user to detach a group from the user", () => {
+    const token = jwt.sign(
+      {
+        scopes: [
+          `cool-app:::user:55854a66-5a73-4416-b03a-eba4417b691c::group:any:any`,
+        ],
+      },
+      "hello"
+    );
+
+    const context = {
+      switchToHttp: () => ({
+        getRequest: () => ({
+          headers: {
+            authorization: `Bearer ${token}`,
+          },
+          params: {
+            userId: "001d4f53-798b-4a0b-8ef7-330a7bf72147",
+          },
+          body: ["680dddec-f0b9-4a01-b8b5-be725f946935"],
+        }),
+      }),
+    } as ExecutionContext;
+
+    const util = new HttpAuthzDetachObjectsGuardUtil(context);
+
+    expect(
+      util.isAuthorized(
+        "user",
+        "4d2114ca-24e2-43e5-bddb-d9a6688b8340",
+        "group",
+        ["5d549988-a3bf-49d7-91ae-aeef65a073cc"],
+        "cool-app"
+      )
+    ).toBe(false);
+  });
+
+  it("Should not allow someone with permission to do anything to any sub object for a different user to detach a group from the user", () => {
+    const token = jwt.sign(
+      {
+        scopes: [
+          `cool-app:::user:55854a66-5a73-4416-b03a-eba4417b691c::any:any:any`,
+        ],
+      },
+      "hello"
+    );
+
+    const context = {
+      switchToHttp: () => ({
+        getRequest: () => ({
+          headers: {
+            authorization: `Bearer ${token}`,
+          },
+          params: {
+            userId: "001d4f53-798b-4a0b-8ef7-330a7bf72147",
+          },
+          body: ["680dddec-f0b9-4a01-b8b5-be725f946935"],
+        }),
+      }),
+    } as ExecutionContext;
+
+    const util = new HttpAuthzDetachObjectsGuardUtil(context);
+
+    expect(
+      util.isAuthorized(
+        "user",
+        "4d2114ca-24e2-43e5-bddb-d9a6688b8340",
+        "group",
+        ["5d549988-a3bf-49d7-91ae-aeef65a073cc"],
+        "cool-app"
+      )
+    ).toBe(false);
+  });
+
+  it("Should not allow someone with permission to detach a specific group to a different user to detach the group to the user", () => {
+    const token = jwt.sign(
+      {
+        scopes: [
+          `cool-app:::user:4d2114ca-24e2-43e5-bddb-d9a6688b8340::group:680dddec-f0b9-4a01-b8b5-be725f946935:create`,
+        ],
+      },
+      "hello"
+    );
+
+    const context = {
+      switchToHttp: () => ({
+        getRequest: () => ({
+          headers: {
+            authorization: `Bearer ${token}`,
+          },
+          params: {
+            userId: "001d4f53-798b-4a0b-8ef7-330a7bf72147",
+          },
+          body: ["680dddec-f0b9-4a01-b8b5-be725f946935"],
+        }),
+      }),
+    } as ExecutionContext;
+
+    const util = new HttpAuthzDetachObjectsGuardUtil(context);
+
+    expect(
+      util.isAuthorized(
+        "user",
+        "4d2114ca-24e2-43e5-bddb-d9a6688b8340",
+        "group",
+        ["5d549988-a3bf-49d7-91ae-aeef65a073cc"],
+        "cool-app"
+      )
+    ).toBe(false);
+  });
+
+  it("Should not allow someone with permission to detach a different specific permission to a user to detach the group to the user", () => {
+    const token = jwt.sign(
+      {
+        scopes: [
+          `cool-app:::user:4d2114ca-24e2-43e5-bddb-d9a6688b8340::group:680dddec-f0b9-4a01-b8b5-be725f946935:create`,
+        ],
+      },
+      "hello"
+    );
+
+    const context = {
+      switchToHttp: () => ({
+        getRequest: () => ({
+          headers: {
+            authorization: `Bearer ${token}`,
+          },
+          params: {
+            userId: "4d2114ca-24e2-43e5-bddb-d9a6688b8340",
+          },
+          body: ["5be3176f-c066-4418-b682-18e16fd07b84"],
+        }),
+      }),
+    } as ExecutionContext;
+
+    const util = new HttpAuthzDetachObjectsGuardUtil(context);
+
+    expect(
+      util.isAuthorized(
+        "user",
+        "4d2114ca-24e2-43e5-bddb-d9a6688b8340",
+        "group",
+        ["5d549988-a3bf-49d7-91ae-aeef65a073cc"],
+        "cool-app"
+      )
+    ).toBe(false);
+  });
+});

package/src/auth/http-authz.detach-objects.guard.util.ts

@@ -0,0 +1,48 @@
+import { ExecutionContext } from "@nestjs/common";
+import { HttpAuthzActionToSubObjectsGuardUtil } from "./http-authz.action-to-sub-objects.guard.util";
+
+/**
+ * Authorizes detachment of objects to another object by object id
+ */
+export class HttpAuthzDetachObjectsGuardUtil {
+  private _util: HttpAuthzActionToSubObjectsGuardUtil;
+
+  constructor(private readonly context: ExecutionContext) {
+    this._util = new HttpAuthzActionToSubObjectsGuardUtil(context, "delete");
+  }
+
+  /**
+   * @param {string} object The object name of object A
+   * @param {string} objectId The object ID of object A
+   * @param {string} detachObject The object name of objects B
+   * @param {string[]} detachObjectIds The object IDs of Objects B to attach to object A
+   * @param {string?} namespace (Optional) The namespace of objects A and B
+   */
+  public isAuthorized(
+    object: string,
+    objectId: string,
+    detachObject: string,
+    detachObjectIds: string[],
+    namespace?: string
+  ) {
+    return this._util.isAuthorized(
+      object,
+      objectId,
+      detachObject,
+      detachObjectIds,
+      namespace
+    );
+  }
+
+  public get params() {
+    return this._util.params;
+  }
+
+  public get query() {
+    return this._util.query;
+  }
+
+  public get body() {
+    return this._util.body;
+  }
+}

package/src/auth/{http-authz-guard.util.spec.ts → http-authz.guard.util.spec.ts}

@@ -2,7 +2,7 @@ import { ExecutionContext } from "@nestjs/common";
 import { instance, mock, when } from "ts-mockito";
 import { HttpArgumentsHost } from "@nestjs/common/interfaces/features/arguments-host.interface";
 import * as jwt from "jsonwebtoken";
-import { HttpAuthzGuardUtil } from "./http-authz-guard.util";
+import { HttpAuthzGuardUtil } from "./http-authz.guard.util";
 
 describe("HttpAuthzGuardUtil", () => {
   let mockedExecutionContext: ExecutionContext;
@@ -80,7 +80,7 @@ describe("HttpAuthzGuardUtil", () => {
     ).toBe(true);
   });
 
-  it("Should authorize a scope with 'self' for object id", () => {
+  it("Should not authorize a scope with 'self' for object id", () => {
     const request = getRequestWithAuthorizationBearerScopes("johndoe", [
       "user:self:update",
     ]) as any;
@@ -94,7 +94,7 @@ describe("HttpAuthzGuardUtil", () => {
         object: "user",
         objectId: "johndoe",
       })
-    ).toBe(true);
+    ).toBe(false);
   });
 
   it("Should authorize a multi level scope definition", () => {

package/src/auth/{http-authz-guard.util.ts → http-authz.guard.util.ts}

@@ -7,6 +7,7 @@ export class HttpAuthzGuardUtil {
   private _token: any;
   public readonly params: any;
   public readonly query: any;
+  public readonly body: any;
 
   constructor(private readonly context: ExecutionContext) {
     const request = context.switchToHttp().getRequest();
@@ -28,6 +29,7 @@ export class HttpAuthzGuardUtil {
     this._token = decodedToken;
     this.params = request.params;
     this.query = request.query;
+    this.body = request.body;
   }
 
   public isAuthorized(...authzRequests: AuthorizationRequestInterface[]) {

package/src/auth/index.ts

@@ -1,4 +1,5 @@
 export * from "./authenticator.interface";
 export * from "./topic-authorizor.interface";
 export * from "./fake-authenticator";
-export * from "./http-authz-guard.util";
+export * from "./http-authz.guard.util";
+export * from "./http-authz.attach-objects.guard.util";

package/src/config/default-config.ts

@@ -114,15 +114,15 @@ export class DefaultConfig implements JsonSerializableInterface<any> {
   }
 
   public get apiVersion(): string {
-    return process.env.API_VERSION;
+    return process.env.API_VERSION || "v1";
   }
 
   public get appPrefix(): string {
-    return process.env.APP_PREFIX;
+    return process.env.APP_PREFIX || "api";
   }
 
   public get docsPrefix(): string {
-    return process.env.DOCS_PREFIX;
+    return process.env.DOCS_PREFIX || "docs";
   }
 
   public get docsEnabled(): boolean {
@@ -152,11 +152,11 @@ export class DefaultConfig implements JsonSerializableInterface<any> {
   }
 
   public get logLevels(): string[] {
-    return process.env.LOG_LEVELS.trim().split(",");
+    return (process.env.LOG_LEVELS || "debug,info,error").trim().split(",");
   }
 
   public get httpPort(): number {
-    return parseInt(process.env.HTTP_PORT, 10);
+    return parseInt(process.env.HTTP_PORT || "3000", 10);
   }
 
   public get metrics(): SwitchConfigInterface & HostConfigInterface {
@@ -177,7 +177,7 @@ export class DefaultConfig implements JsonSerializableInterface<any> {
 
   public get elasticsearch(): UrlInterface & PingConfigInterface {
     return new ElasticsearchConfig(
-      process.env.ELASTICSEARCH_URL,
+      process.env.ELASTICSEARCH_URL || "http://elasticsearch:9200",
       process.env.ELASTICSEARCH_PING_INTERVAL_SECONDS || "10"
     );
   }

package/lib/src/auth/http-authz-guard.util.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"http-authz-guard.util.js","sourceRoot":"","sources":["../../../src/auth/http-authz-guard.util.ts"],"names":[],"mappings":";;;AAAA,2CAA6E;AAC7E,oCAAoC;AAEpC,uEAAmE;AAEnE,MAAa,kBAAkB;IAK7B,YAA6B,OAAyB;QAAzB,YAAO,GAAP,OAAO,CAAkB;QACpD,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;QACpD,MAAM,mBAAmB,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QAC1D,IAAI,CAAC,mBAAmB,EAAE;YACxB,MAAM,IAAI,sBAAa,CAAC,cAAc,EAAE,mBAAU,CAAC,YAAY,CAAC,CAAC;SAClE;QACD,MAAM,gBAAgB,GAAG,mBAAmB,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACrE,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE;YACjC,MAAM,IAAI,sBAAa,CAAC,cAAc,EAAE,mBAAU,CAAC,YAAY,CAAC,CAAC;SAClE;QAED,MAAM,WAAW,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC,WAAW,CAAmB,CAAC;QAC/D,IAAI,CAAC,YAAY,EAAE;YACjB,MAAM,IAAI,sBAAa,CAAC,cAAc,EAAE,mBAAU,CAAC,YAAY,CAAC,CAAC;SAClE;QAED,IAAI,CAAC,MAAM,GAAG,YAAY,CAAC;QAC3B,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC7B,CAAC;IAEM,YAAY,CAAC,GAAG,aAA8C;QACnE,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;QAElC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE;YAC1B,IAAI,IAAI,CAAC,0BAA0B,CAAC,KAAK,EAAE,aAAa,CAAC,EAAE;gBACzD,OAAO,IAAI,CAAC;aACb;SACF;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,0BAA0B,CAChC,KAAa,EACb,aAA8C;QAE9C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE/B,MAAM,uBAAuB,GAAG,EAAE,CAAC;QACnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE;YACxC,uBAAuB,CAAC,IAAI,CAC1B,IAAI,gDAAsB,CACxB,IAAI,CAAC,MAAM,CAAC,GAAG,EACf,KAAK,CAAC,CAAC,CAAC,EACR,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,EACZ,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CACb,CACF,CAAC;SACH;QAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,aAAa,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;YAC7C,MAAM,OAAO,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;YACjC,IAAI,CAAC,uBAAuB,CAAC,CAAC,CAAC,EAAE;gBAC/B,OAAO,KAAK,CAAC;aACd;YACD,MAAM,SAAS,GAAG,uBAAuB,CAAC,CAAC,CAAC,CAAC;YAC7C,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,OAAO,CAAC,EAAE;gBACxC,OAAO,KAAK,CAAC;aACd;SACF;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAtED,gDAsEC"}