@declaro/core 2.0.0-beta.8 → 2.0.0-y.0

package/src/auth/permission-validator.test.ts

@@ -0,0 +1,209 @@
+import { describe, expect, it } from 'vitest'
+import { PermissionError, PermissionRuleType, PermissionValidator } from './permission-validator'
+
+describe('Permission Builder', () => {
+    it('should create a builder instance statically or with a constructor', () => {
+        const viaStatic = PermissionValidator.create()
+        const viaConstructor = new PermissionValidator()
+
+        expect(viaStatic).toBeInstanceOf(PermissionValidator)
+        expect(viaConstructor).toBeInstanceOf(PermissionValidator)
+    })
+
+    it('should be able to add validation rules', () => {
+        const validator = PermissionValidator.create().addRule({
+            type: PermissionRuleType.ALL_OF,
+            permissions: ['some', 'permissions'],
+            errorMessage: 'Tisk tisk',
+        })
+
+        expect(validator).toBeInstanceOf(PermissionValidator)
+        expect(validator.rules.length).toBe(1)
+    })
+
+    it('should be able to validate rules', () => {
+        const validator = PermissionValidator.create().addRule({
+            type: PermissionRuleType.ALL_OF,
+            permissions: ['some', 'permissions'],
+            errorMessage: 'Tisk tisk',
+        })
+
+        const validResult = validator.validate(['look', 'we', 'have', 'some', 'permissions', 'and', 'some', 'more'])
+
+        expect(validResult).toBe(true)
+        expect(() => validator.validate(['we', 'are', 'not', 'authorized'])).toThrowError('Tisk tisk')
+    })
+
+    it('should be able to safe validate rules, so they do not throw permission errors', () => {
+        const validator = PermissionValidator.create().addRule({
+            type: PermissionRuleType.ALL_OF,
+            permissions: ['some', 'permissions'],
+            errorMessage: 'Tisk tisk',
+        })
+
+        const validResult = validator.safeValidate(['look', 'we', 'have', 'some', 'permissions', 'and', 'some', 'more'])
+
+        expect(validResult).to.deep.equal({
+            valid: true,
+            errorMessage: '',
+            errors: [],
+        })
+
+        expect(() => validator.safeValidate(['we', 'are', 'not', 'authorized'])).not.toThrowError()
+        const result = validator.safeValidate(['we', 'are', 'not', 'authorized'])
+        expect(result).to.deep.equal({
+            valid: false,
+            errorMessage: 'Tisk tisk',
+            errors: [new PermissionError('Tisk tisk', validator.rules[0], ['we', 'are', 'not', 'authorized'])],
+        })
+    })
+
+    it('should support requiring all of a list of permissions', () => {
+        const validator = PermissionValidator.create().allOf(['permissions', 'you', 'need'])
+
+        const validResult = validator.validate(['i', 'have', 'the', 'permissions', 'you', 'need'])
+
+        expect(validResult).toBe(true)
+    })
+
+    it('should support requiring none of a list of permissions', () => {
+        const validator = PermissionValidator.create().noneOf(['bad', 'things'], 'NOPE')
+
+        const validResult = validator.validate(['i', 'have', 'the', 'permissions', 'you', 'need'])
+
+        expect(validResult).toBe(true)
+
+        expect(() => validator.validate(['i', 'have', 'bad', 'stuff'])).toThrowError('NOPE')
+    })
+
+    it('should support requiring some of a list of permissions', () => {
+        const validator = PermissionValidator.create().someOf(['some', 'optional', 'permissions'], 'You had one job')
+
+        const validResult = validator.validate(['i', 'have', 'the', 'permissions', 'you', 'need'])
+
+        expect(validResult).toBe(true)
+
+        expect(() => validator.validate(['i', 'have', 'bad', 'stuff'])).toThrowError('You had one job')
+    })
+
+    it('should be able to mix and match permissions', () => {
+        const validator = PermissionValidator.create()
+            .allOf(['luke', 'leia', 'han', 'chewie'], 'Where are my heroes?')
+            .someOf(['obi-wan', 'yoda'], 'Requires 1 master jedi')
+            .noneOf(['darth-vader', 'storm-trooper', 'emperor'], 'No sith allowed')
+
+        const validResult = validator.validate(['leia', 'han', 'yoda', 'chewie', 'c3po', 'r2d2', 'han', 'luke'])
+
+        expect(validResult).toBe(true)
+
+        expect(() =>
+            validator.validate(['leia', 'han', 'yoda', 'chewie', 'c3po', 'r2d2', 'han', 'luke', 'storm-trooper']),
+        ).toThrowError('No sith allowed')
+
+        expect(() => {
+            validator.validate(['leia', 'han', 'yoda', 'chewie', 'c3po', 'r2d2', 'han'])
+        }).toThrowError('Where are my heroes?')
+
+        expect(() => {
+            validator.validate(['leia', 'han', 'chewie', 'c3po', 'r2d2', 'han', 'luke'])
+        }).toThrowError('Requires 1 master jedi')
+    })
+
+    it('should validate multiple permission validators at once', () => {
+        const validator = PermissionValidator.create()
+            .allOf(['luke', 'leia', 'han', 'chewie'], 'Where are my heroes?')
+            .someOf(['obi-wan', 'yoda'], 'Requires 1 master jedi')
+
+        const validator2 = PermissionValidator.create().noneOf(
+            ['darth-vader', 'storm-trooper', 'emperor'],
+            'No sith allowed',
+        )
+
+        const combinedValidator = PermissionValidator.create().extend(validator, validator2)
+
+        const validResult = combinedValidator.validate(['leia', 'han', 'yoda', 'chewie', 'c3po', 'r2d2', 'han', 'luke'])
+
+        expect(validResult).toBe(true)
+
+        expect(() =>
+            combinedValidator.validate([
+                'leia',
+                'han',
+                'yoda',
+                'chewie',
+                'c3po',
+                'r2d2',
+                'han',
+                'luke',
+                'storm-trooper',
+            ]),
+        ).toThrowError('No sith allowed')
+
+        expect(() => {
+            combinedValidator.validate(['leia', 'han', 'yoda', 'chewie', 'c3po', 'r2d2', 'han'])
+        }).toThrowError('Where are my heroes?')
+
+        expect(() => {
+            combinedValidator.validate(['leia', 'han', 'chewie', 'c3po', 'r2d2', 'han', 'luke'])
+        }).toThrowError('Requires 1 master jedi')
+    })
+
+    it('Should be able to use validators interchangably with rules', () => {
+        const heros = PermissionValidator.create().allOf(['luke', 'leia', 'han', 'chewie'])
+
+        const jedi = PermissionValidator.create().someOf(['obi-wan', 'yoda'])
+
+        const sith = PermissionValidator.create().someOf(['darth-vadar', 'emperor', 'darth-maul'])
+
+        const lightSide = PermissionValidator.create().someOf([heros, jedi], 'The light side must be heroes or jedi')
+        const darkSide = PermissionValidator.create().someOf(['palpatine', sith], 'Only dark side allowed')
+        const lightOnly = PermissionValidator.create()
+            .someOf([lightSide], 'Light side only')
+            .noneOf([darkSide], 'No dark side allowed')
+
+        expect(lightOnly.validate(['luke', 'leia', 'yoda'])).toBe(true)
+        expect(() => lightOnly.validate(['luke', 'leia', 'yoda', 'darth-vadar'])).toThrowError('No dark side allowed')
+        expect(() => lightOnly.validate(['luke', 'leia', 'yoda', 'darth-vadar', 'darth-maul'])).toThrowError(
+            'No dark side allowed',
+        )
+
+        const dumbCharacters = PermissionValidator.create().someOf(['jar-jar-binx'], 'Oh George, what have you done?')
+
+        const coolCharacters = PermissionValidator.create()
+            .someOf([lightSide, darkSide], 'Must contain Star Wars characters')
+            .noneOf([dumbCharacters], 'Oh George, what have you done?')
+
+        expect(coolCharacters.validate(['luke', 'leia', 'han', 'chewie', 'yoda'])).toBe(true)
+        expect(coolCharacters.validate(['luke', 'leia', 'han', 'chewie', 'yoda', 'darth-vadar'])).toBe(true)
+        expect(coolCharacters.validate(['darth-vadar', 'darth-maul'])).toBe(true)
+        expect(() => coolCharacters.validate(['luke', 'leia', 'han', 'chewie', 'yoda', 'jar-jar-binx'])).toThrowError(
+            'Oh George, what have you done?',
+        )
+    })
+
+    it('should not error when passed undefined instead of a permission array to validate', () => {
+        const validator = PermissionValidator.create().someOf(['luke', 'leia', 'han', 'chewie'], 'Where are my heroes?')
+        expect(() => validator.safeValidate(undefined)).not.toThrowError()
+    })
+
+    it('should support wildcards', () => {
+        const validator = PermissionValidator.create().allOf(['*'])
+
+        expect(validator.safeValidate(['anything']).valid).toBe(true)
+        expect(validator.safeValidate(['everything']).valid).toBe(true)
+        expect(validator.safeValidate(['nothing']).valid).toBe(true)
+        expect(validator.safeValidate(['something']).valid).toBe(true)
+
+        const validator2 = PermissionValidator.create().allOf(['namespace::resource.action:*'])
+
+        expect(validator2.safeValidate(['namespace::resource.action:read']).valid).toBe(true)
+        expect(validator2.safeValidate(['namespace::resource.action:write']).valid).toBe(true)
+        expect(validator2.safeValidate(['namespace::resource.action:delete']).valid).toBe(true)
+
+        const validator3 = PermissionValidator.create().allOf(['namespace::resource.*:*'])
+
+        expect(validator3.safeValidate(['namespace::resource.action:read']).valid).toBe(true)
+        expect(validator3.safeValidate(['namespace::resource.action1:write']).valid).toBe(true)
+        expect(validator3.safeValidate(['namespace::resource.action2:delete']).valid).toBe(true)
+    })
+})

package/src/auth/permission-validator.ts

@@ -0,0 +1,135 @@
+import { minimatch } from 'minimatch'
+
+export enum PermissionRuleType {
+    ALL_OF = 'ALL_OF',
+    NONE_OF = 'NONE_OF',
+    SOME_OF = 'SOME_OF',
+}
+
+export type RulePermission = string | PermissionValidator
+
+export type PermissionRule = {
+    type: PermissionRuleType
+    permissions: RulePermission[]
+    errorMessage: string
+}
+
+export class PermissionError extends Error {
+    constructor(message: string, public rule: PermissionRule, public permissions: RulePermission[]) {
+        super(message ?? 'Permission Error')
+    }
+}
+
+export type PermissionValidationResults = {
+    valid: boolean
+    errorMessage: string
+    errors: PermissionError[]
+}
+
+export class PermissionValidator {
+    readonly rules: PermissionRule[] = []
+    static create() {
+        return new PermissionValidator()
+    }
+
+    addRule(...rule: PermissionRule[]) {
+        this.rules.push(...rule)
+        return this
+    }
+
+    extend(...validators: PermissionValidator[]) {
+        validators.forEach((validator) => {
+            this.rules.push(...validator.rules)
+        })
+        return this
+    }
+
+    allOf(permissions: RulePermission[], errorMessage?: string) {
+        this.addRule({
+            type: PermissionRuleType.ALL_OF,
+            permissions,
+            errorMessage,
+        })
+        return this
+    }
+
+    noneOf(permissions: RulePermission[], errorMessage?: string) {
+        this.addRule({
+            type: PermissionRuleType.NONE_OF,
+            permissions,
+            errorMessage,
+        })
+        return this
+    }
+
+    someOf(permissions: RulePermission[], errorMessage?: string) {
+        this.addRule({
+            type: PermissionRuleType.SOME_OF,
+            permissions,
+            errorMessage,
+        })
+        return this
+    }
+
+    private validateRule(rule: PermissionRule, permissions: string[]) {
+        if (rule.type === PermissionRuleType.ALL_OF) {
+            return rule.permissions.every((permission) => this.hasPermission(permission, permissions))
+        } else if (rule.type === PermissionRuleType.NONE_OF) {
+            return !rule.permissions.some((permission) => this.hasPermission(permission, permissions))
+        } else if (rule.type === PermissionRuleType.SOME_OF) {
+            return rule.permissions.some((permission) => this.hasPermission(permission, permissions))
+        } else {
+            throw new Error(`Invalid permission rule type ${rule.type}`)
+        }
+    }
+
+    private hasPermission(permission: RulePermission, permissions: string[]) {
+        if (typeof permission === 'string') {
+            const matches = minimatch.match(permissions, permission)
+            return matches.length > 0
+            // return permissions.some((p) => minimatch(p, permission))
+        } else {
+            return permission.safeValidate(permissions).valid
+        }
+    }
+
+    validate(permissions: string[] = []) {
+        return this.rules.reduce((status, rule) => {
+            const valid = this.validateRule(rule, permissions)
+
+            if (!valid) {
+                throw new PermissionError(rule.errorMessage, rule, permissions)
+            }
+
+            return status && valid
+        }, true)
+    }
+
+    safeValidate(permissions: string[] = []): PermissionValidationResults {
+        const errors = this.rules
+            .map((rule) => {
+                const valid = this.validateRule(rule, permissions)
+
+                if (!valid) {
+                    return new PermissionError(rule.errorMessage, rule, permissions)
+                } else {
+                    return undefined
+                }
+            })
+            .filter((item) => !!item)
+
+        if (errors.length > 0) {
+            return {
+                valid: false,
+                errorMessage: errors[0].message,
+                errors,
+            }
+        } else {
+            return {
+                valid: true,
+                errorMessage: '',
+                errors: [],
+            }
+        }
+    }
+}