@develit-services/rbac 0.0.1

package/dist/export/worker.mjs

@@ -0,0 +1,771 @@
+import { WorkerEntrypoint } from 'cloudflare:workers';
+import { uuidv4, first, createInternalError, develitWorker, action, service } from '@develit-io/backend-sdk';
+import { m as jwtPayloadSchema, c as createRoleInputSchema, a as assignRoleToUserInputSchema, b as assignRolesToUserInputSchema, r as revokeRoleFromUserInputSchema, f as grantScopeToUserInputSchema, h as grantScopesToUserInputSchema, j as revokeScopeFromUserInputSchema, e as grantScopeToRoleInputSchema, i as revokeScopeFromRoleInputSchema, S as SCOPES, g as getUserPermissionsInputSchema, v as verifyAccessInputSchema, d as deleteRoleInputSchema, u as updateRoleInputSchema } from '../shared/rbac.C9brkvW9.mjs';
+import { s as schema } from '../shared/rbac.CJLU5iuV.mjs';
+import { eq, and, count, inArray } from 'drizzle-orm';
+import { z } from 'zod';
+import { drizzle } from 'drizzle-orm/d1';
+import 'drizzle-orm/sqlite-core';
+
+const tables = schema;
+
+const assignRoleToUserCommand = async ({
+  db,
+  userId,
+  roleId
+}) => {
+  const id = uuidv4();
+  const command = db.insert(tables.userRole).values({
+    id,
+    roleId,
+    userId
+  }).returning();
+  return { command, id };
+};
+
+const assignRolesToUserCommand = async ({
+  db,
+  userId,
+  roleIds
+}) => {
+  const userRoles = roleIds.map((roleId) => ({
+    id: uuidv4(),
+    roleId,
+    userId
+  }));
+  const command = db.insert(tables.userRole).values(userRoles).returning();
+  return { command, ids: userRoles.map((ur) => ur.id) };
+};
+
+const createRoleCommand = async ({
+  db,
+  name
+}) => {
+  const id = uuidv4();
+  const command = db.insert(tables.role).values({
+    id,
+    name
+  }).returning();
+  return { command, id };
+};
+
+const deleteRoleCommand = async ({
+  db,
+  id
+}) => {
+  const command = db.delete(tables.role).where(eq(tables.role.id, id));
+  return { command };
+};
+
+const grantScopeToRoleCommand = async ({
+  db,
+  scope,
+  roleId,
+  resourceId
+}) => {
+  const id = uuidv4();
+  const command = db.insert(tables.roleScope).values({
+    id,
+    scope,
+    roleId,
+    resourceId
+  }).returning();
+  return { command, id };
+};
+
+const grantScopeToUserCommand = async ({
+  db,
+  userId,
+  scope,
+  resourceId
+}) => {
+  const id = uuidv4();
+  const command = db.insert(tables.userScope).values({
+    id,
+    scope,
+    userId,
+    resourceId
+  }).returning();
+  return { command, id };
+};
+
+const grantScopesToUserCommand = async ({
+  db,
+  userId,
+  scopes
+}) => {
+  const userScopes = scopes.map((scope) => ({
+    id: uuidv4(),
+    scope: scope.scope,
+    userId,
+    resourceId: scope.resourceId
+  }));
+  const command = db.insert(tables.userScope).values(userScopes).returning();
+  return { command, ids: userScopes.map((us) => us.id) };
+};
+
+const revokeRoleFromUserCommand = async ({
+  db,
+  userId,
+  roleId
+}) => {
+  const command = db.delete(tables.userRole).where(
+    and(
+      eq(tables.userRole.userId, userId),
+      eq(tables.userRole.roleId, roleId)
+    )
+  );
+  return { command };
+};
+
+const revokeScopeFromRoleCommand = async ({
+  db,
+  roleId,
+  scope,
+  resourceId
+}) => {
+  const command = db.delete(tables.roleScope).where(
+    and(
+      eq(tables.roleScope.roleId, roleId),
+      eq(tables.roleScope.scope, scope),
+      resourceId ? eq(tables.userScope.resourceId, resourceId) : void 0
+    )
+  );
+  return { command };
+};
+
+const revokeScopeFromUserCommand = async ({
+  db,
+  userId,
+  scope,
+  resourceId
+}) => {
+  const command = db.delete(tables.userScope).where(
+    and(
+      eq(tables.userScope.userId, userId),
+      eq(tables.userScope.scope, scope),
+      resourceId ? eq(tables.userScope.resourceId, resourceId) : void 0
+    )
+  );
+  return { command };
+};
+
+const updateRoleCommand = async ({
+  db,
+  id,
+  name
+}) => {
+  const command = db.update(tables.role).set({ name }).where(eq(tables.role.id, id));
+  return { command };
+};
+
+const getAllRolesQuery = async ({
+  db
+}) => {
+  const roles = await db.select().from(tables.role);
+  const result = [];
+  for (const role of roles) {
+    const scopeCount = await db.select({ count: count() }).from(tables.roleScope).where(eq(tables.roleScope.roleId, role.id));
+    const userCount = await db.select({ count: count() }).from(tables.userRole).where(eq(tables.userRole.roleId, role.id));
+    result.push({
+      id: role.id,
+      name: role.name,
+      numberOfScopes: scopeCount[0]?.count ?? 0,
+      numberOfUsers: userCount[0]?.count ?? 0
+    });
+  }
+  return result;
+};
+
+const getRoleQuery = async ({
+  db,
+  roleId
+}) => {
+  return await db.select().from(tables.role).where(eq(tables.role.id, roleId)).then(first);
+};
+
+const getRolesByUserQuery = async ({
+  db,
+  userId
+}) => {
+  return await db.select({
+    id: tables.role.id,
+    name: tables.role.name
+  }).from(tables.userRole).leftJoin(tables.role, eq(tables.role.id, tables.userRole.roleId)).where(and(eq(tables.userRole.userId, userId)));
+};
+
+const getScopesByRolesQuery = async ({
+  db,
+  roleIds
+}) => {
+  return await db.select({
+    id: tables.roleScope.id,
+    scope: tables.roleScope.scope,
+    resourceId: tables.roleScope.resourceId
+  }).from(tables.roleScope).where(inArray(tables.roleScope.roleId, roleIds));
+};
+
+const getScopesByUserQuery = async ({
+  db,
+  userId
+}) => {
+  return await db.select({
+    id: tables.userScope.id,
+    scope: tables.userScope.scope,
+    resourceId: tables.userScope.resourceId
+  }).from(tables.userScope).where(and(eq(tables.userScope.userId, userId)));
+};
+
+function parseScopeTemplate(scope) {
+  if (typeof scope !== "string") {
+    throw createInternalError(null, {
+      message: "Scope template must be a string",
+      status: 400,
+      code: "INVALID_SCOPE_TYPE"
+    });
+  }
+  if (scope.length === 0) {
+    return [];
+  }
+  const placeholderRegex = /\{([^.]+)\.(.+?)\}/g;
+  const allBraceMatches = /\{[^}]*\}/g;
+  const allMatches = [...scope.matchAll(allBraceMatches)];
+  const validMatches = [...scope.matchAll(placeholderRegex)];
+  if (allMatches.length !== validMatches.length) {
+    throw createInternalError(null, {
+      message: "Invalid placeholder format found. Expected format: {type.key}",
+      status: 400,
+      code: "INVALID_PLACEHOLDER_FORMAT"
+    });
+  }
+  const placeholders = [];
+  let match;
+  placeholderRegex.lastIndex = 0;
+  while ((match = placeholderRegex.exec(scope)) !== null) {
+    const type = match[1];
+    const path = match[2];
+    if (!type || !path) {
+      throw createInternalError(null, {
+        message: `Placeholder '${match[0]}' has empty type or path`,
+        status: 400,
+        code: "EMPTY_PLACEHOLDER_PARTS"
+      });
+    }
+    placeholders.push({
+      type,
+      // jwt
+      path,
+      // userData.organizationId
+      fullMatch: match[0],
+      // "{jwt.userData.organizationId}"
+      position: match.index
+      // Position in string for ordered replacement
+    });
+  }
+  return placeholders.sort((a, b) => a.position - b.position);
+}
+function extractResourcesFromPath(scope, resourcePath) {
+  const placeholders = parseScopeTemplate(scope);
+  if (placeholders.length === 0) return {};
+  let regexPattern = scope.replace(/\./g, "\\.");
+  placeholders.forEach(() => {
+    regexPattern = regexPattern.replace(/\{[^}]+\}/, "([^.]+)");
+  });
+  const regex = new RegExp(`^${regexPattern}$`);
+  const match = resourcePath.match(regex);
+  if (!match) {
+    throw createInternalError(null, {
+      message: `Resource path '${resourcePath}' does not match scope template '${scope}'`,
+      status: 400,
+      code: "PATH_MISMATCH"
+    });
+  }
+  const result = {};
+  placeholders.forEach((placeholder, index) => {
+    const capturedValue = match[index + 1];
+    const { error } = z.uuid().safeParse(capturedValue);
+    if (error)
+      throw createInternalError(null, {
+        message: `Invalid UUID format: '${capturedValue}' for placeholder '${placeholder.type}.${placeholder.path}'`,
+        status: 400,
+        code: "INVALID_UUID"
+      });
+    result[`${placeholder.type}.${placeholder.path}`] = capturedValue;
+  });
+  return result;
+}
+const inputGetValueByKeySchema = z.object({
+  type: z.string().nonempty("Type parameter cannot be empty"),
+  path: z.string().nonempty("Path parameter cannot be empty"),
+  jwt: jwtPayloadSchema.optional()
+});
+const parseJson = (data) => {
+  try {
+    return JSON.parse(data);
+  } catch (_e) {
+    return data;
+  }
+};
+function getNestedValue(jwt, path) {
+  if (path === "") {
+    return jwt;
+  }
+  const keys = path.split(".");
+  let current = jwt;
+  for (const key of keys) {
+    if (current && typeof current === "object" && current !== null && !Array.isArray(current) && key in current) {
+      current = parseJson(current[key]);
+    } else {
+      return void 0;
+    }
+  }
+  return current;
+}
+function getValueByKey(type, path, jwt) {
+  const { error } = inputGetValueByKeySchema.safeParse({ type, path, jwt });
+  if (error) {
+    const message = error.issues.map((e) => e.message).join(", ");
+    throw createInternalError(error, {
+      message,
+      status: 500
+    });
+  }
+  switch (type) {
+    case "jwt": {
+      if (!jwt)
+        throw createInternalError(null, {
+          message: "JWT is required when using JWT parameters in scope template",
+          status: 400
+        });
+      const value = getNestedValue(jwt, path);
+      if (value === void 0 || value === null)
+        throw createInternalError(null, {
+          message: `Property '${path}' not found in JWT payload.`,
+          status: 400
+        });
+      return value;
+    }
+    case "params":
+      break;
+    default:
+      throw createInternalError(null, {
+        message: `Unsupported param type '${type}'`,
+        status: 400
+      });
+  }
+}
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __decorateClass = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
+  if (kind && result) __defProp(target, key, result);
+  return result;
+};
+let RbacServiceBase = class extends develitWorker(
+  WorkerEntrypoint
+) {
+  constructor(ctx, env) {
+    super(ctx, env);
+    this.db = drizzle(this.env.RBAC_D1, { schema: tables });
+  }
+  async createRole(input) {
+    return this.handleAction(
+      { data: input, schema: createRoleInputSchema },
+      { successMessage: "Role successfully created." },
+      async ({ name }) => {
+        const { command } = await createRoleCommand({ db: this.db, name });
+        const [roles] = await this.db.batch([command]);
+        return first(roles);
+      }
+    );
+  }
+  async assignRoleToUser(input) {
+    return this.handleAction(
+      { data: input, schema: assignRoleToUserInputSchema },
+      { successMessage: "Role successfully assigned." },
+      async ({ userId, roleId }) => {
+        const [role, userRole] = await Promise.all([
+          await getRoleQuery({ db: this.db, roleId }),
+          await getRolesByUserQuery({ db: this.db, userId })
+        ]);
+        if (!role) {
+          throw createInternalError(null, {
+            message: "Role not found.",
+            status: 404
+          });
+        }
+        if (userRole.some((r) => r.id === roleId)) {
+          throw createInternalError(null, {
+            message: "Role already assigned to user.",
+            status: 409
+          });
+        }
+        const { command } = await assignRoleToUserCommand({
+          db: this.db,
+          userId,
+          roleId
+        });
+        const [record] = await this.db.batch([command]);
+        return first(record);
+      }
+    );
+  }
+  async assignRolesToUser(input) {
+    return this.handleAction(
+      { data: input, schema: assignRolesToUserInputSchema },
+      { successMessage: "Roles successfully assigned." },
+      async ({ userId, roles: roleIds }) => {
+        for (const roleId of roleIds) {
+          const [role, userRole] = await Promise.all([
+            await getRoleQuery({ db: this.db, roleId }),
+            await getRolesByUserQuery({ db: this.db, userId })
+          ]);
+          if (!role) {
+            throw createInternalError(null, {
+              message: "Role not found.",
+              status: 404
+            });
+          }
+          if (userRole.some((r) => r.id === roleId)) {
+            throw createInternalError(null, {
+              message: "Role already assigned to user.",
+              status: 409
+            });
+          }
+        }
+        const { command } = await assignRolesToUserCommand({
+          db: this.db,
+          userId,
+          roleIds
+        });
+        const [record] = await this.db.batch([command]);
+        return first(record);
+      }
+    );
+  }
+  async revokeRoleFromUser(input) {
+    return this.handleAction(
+      { data: input, schema: revokeRoleFromUserInputSchema },
+      { successMessage: "Role successfully revoked." },
+      async ({ userId, roleId }) => {
+        const { command } = await revokeRoleFromUserCommand({
+          db: this.db,
+          userId,
+          roleId
+        });
+        await this.db.batch([command]);
+        return {};
+      }
+    );
+  }
+  async grantScopeToUser(input) {
+    return this.handleAction(
+      { data: input, schema: grantScopeToUserInputSchema },
+      { successMessage: "Scope successfully granted to user." },
+      async ({ userId, scope, resourceId }) => {
+        const userScope = await getScopesByUserQuery({ db: this.db, userId });
+        if (userScope.some((s) => s.scope === scope)) {
+          throw createInternalError(null, {
+            message: "Scope already assigned to user.",
+            status: 409
+          });
+        }
+        const { command } = await grantScopeToUserCommand({
+          db: this.db,
+          userId,
+          scope,
+          resourceId
+        });
+        const [record] = await this.db.batch([command]);
+        return first(record);
+      }
+    );
+  }
+  async grantScopesToUser(input) {
+    return this.handleAction(
+      { data: input, schema: grantScopesToUserInputSchema },
+      { successMessage: "Scopes successfully granted to user." },
+      async ({ userId, scopes }) => {
+        for (const scope of scopes) {
+          const userScopes = await getScopesByUserQuery({ db: this.db, userId });
+          if (userScopes.some((s) => s.scope === scope.scope)) {
+            throw createInternalError(null, {
+              message: "Scope already assigned to user.",
+              status: 409
+            });
+          }
+        }
+        const { command } = await grantScopesToUserCommand({
+          db: this.db,
+          userId,
+          scopes
+        });
+        const [record] = await this.db.batch([command]);
+        return first(record);
+      }
+    );
+  }
+  async revokeScopeFromUser(input) {
+    return this.handleAction(
+      { data: input, schema: revokeScopeFromUserInputSchema },
+      { successMessage: "Scope successfully revoked from user." },
+      async ({ userId, scope, resourceId }) => {
+        const { command } = await revokeScopeFromUserCommand({
+          db: this.db,
+          userId,
+          scope,
+          resourceId
+        });
+        await this.db.batch([command]);
+        return {};
+      }
+    );
+  }
+  async grantScopeToRole(input) {
+    return this.handleAction(
+      { data: input, schema: grantScopeToRoleInputSchema },
+      { successMessage: "Scope successfully granted to role." },
+      async ({ roleId, scope, resourceId }) => {
+        const { command } = await grantScopeToRoleCommand({
+          db: this.db,
+          scope,
+          roleId,
+          resourceId
+        });
+        const [record] = await this.db.batch([command]);
+        return first(record);
+      }
+    );
+  }
+  async revokeScopeFromRole(input) {
+    return this.handleAction(
+      { data: input, schema: revokeScopeFromRoleInputSchema },
+      { successMessage: "Scope successfully revoked from role." },
+      async ({ roleId, scope, resourceId }) => {
+        const { command } = await revokeScopeFromRoleCommand({
+          db: this.db,
+          roleId,
+          scope,
+          resourceId
+        });
+        await this.db.batch([command]);
+        return {};
+      }
+    );
+  }
+  async getPermissions() {
+    return this.handleAction(
+      null,
+      { successMessage: "Permissions successfully returned." },
+      async () => {
+        const roles = await getAllRolesQuery({ db: this.db });
+        const roleScopes = await Promise.all(
+          roles.filter((role) => role.id).map(async (role) => {
+            const scopes = await getScopesByRolesQuery({
+              db: this.db,
+              roleIds: [role.id]
+            });
+            return {
+              roleId: role.id,
+              roleName: role.name,
+              scopes: scopes.map((scope) => ({
+                id: scope.id,
+                scope: scope.scope,
+                resourceId: scope.resourceId
+              }))
+            };
+          })
+        );
+        return {
+          roles,
+          rolesCount: roles.length,
+          scopes: [...SCOPES],
+          scopesCount: [...SCOPES].length,
+          roleScopes,
+          roleScopesCount: roleScopes.length
+        };
+      }
+    );
+  }
+  async getUserPermissions(input) {
+    return this.handleAction(
+      { data: input, schema: getUserPermissionsInputSchema },
+      { successMessage: "User permissions successfully returned." },
+      async ({ userId }) => {
+        const resultRoles = await getRolesByUserQuery({ db: this.db, userId });
+        const resultScopes = await getScopesByUserQuery({ db: this.db, userId });
+        const resultRoleScopes = await getScopesByRolesQuery({
+          db: this.db,
+          roleIds: resultRoles.filter((role) => role.id).map((role) => role.id)
+        });
+        const roles = resultRoles.map((role) => ({
+          id: role.id,
+          name: role.name
+        }));
+        const scopes = resultScopes.map((scope) => ({
+          id: scope.id,
+          scope: scope.scope,
+          resourceId: scope.resourceId
+        }));
+        const roleScopes = resultRoleScopes.map((scope) => ({
+          id: scope.id,
+          scope: scope.scope,
+          resourceId: scope.resourceId
+        }));
+        return {
+          roles,
+          rolesCount: roles.length,
+          scopes,
+          scopesCount: scopes.length,
+          roleScopes,
+          roleScopesCount: roleScopes.length
+        };
+      }
+    );
+  }
+  async verifyAccess(input) {
+    return this.handleAction(
+      // TODO: This input schema is just copied from auth and is not 100% type safe
+      { data: input, schema: verifyAccessInputSchema },
+      { successMessage: "Access verification completed." },
+      async ({ userId, accessRequests, jwt }) => {
+        const userPermissionsResponse = await this.getUserPermissions({
+          userId
+        });
+        if (!userPermissionsResponse.data) {
+          throw createInternalError(null, {
+            message: "Unable to retrieve user permissions",
+            status: 500
+          });
+        }
+        const allScopes = [
+          ...userPermissionsResponse.data.roleScopes,
+          ...userPermissionsResponse.data.scopes
+        ];
+        const allAccessRequestsSatisfied = accessRequests.every((request) => {
+          const placeholders = parseScopeTemplate(request.scope);
+          return allScopes.some((userScope) => {
+            const scopesMatch = userScope.scope === request.scope;
+            let resourceMatches = false;
+            if (placeholders.length > 0) {
+              if (!request.resourcePath) {
+                throw createInternalError(null, {
+                  message: `Resource path is required when scope '${request.scope}' contains placeholders`,
+                  status: 400,
+                  code: "RESOURCE_PATH_REQUIRED"
+                });
+              }
+              const extractedResources = extractResourcesFromPath(
+                request.scope,
+                request.resourcePath
+              );
+              const allPlaceholdersMatch = placeholders.every((placeholder) => {
+                const extractedValue = extractedResources[`${placeholder.type}.${placeholder.path}`];
+                const jwtParam = placeholder.type === "jwt" ? jwt : void 0;
+                const expectedValue = getValueByKey(
+                  placeholder.type,
+                  placeholder.path,
+                  jwtParam
+                );
+                if (expectedValue === void 0) {
+                  return false;
+                }
+                return String(extractedValue) === String(expectedValue);
+              });
+              const resourceIdMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
+              resourceMatches = allPlaceholdersMatch && resourceIdMatches;
+            } else {
+              resourceMatches = userScope.resourceId === null || userScope.resourceId === request.resourceId;
+            }
+            return scopesMatch && resourceMatches;
+          });
+        });
+        return {
+          isVerified: allAccessRequestsSatisfied
+        };
+      }
+    );
+  }
+  async deleteRole(input) {
+    return this.handleAction(
+      { data: input, schema: deleteRoleInputSchema },
+      { successMessage: "Role successfully deleted" },
+      async ({ id }) => {
+        const { command } = await deleteRoleCommand({ db: this.db, id });
+        await this.db.batch([command]);
+        return {};
+      }
+    );
+  }
+  async updateRole(input) {
+    return this.handleAction(
+      { data: input, schema: updateRoleInputSchema },
+      { successMessage: "Role successfully updated" },
+      async ({ id, name }) => {
+        const { command } = await updateRoleCommand({ db: this.db, id, name });
+        await this.db.batch([command]);
+        return {};
+      }
+    );
+  }
+};
+__decorateClass([
+  action("createRole")
+], RbacServiceBase.prototype, "createRole", 1);
+__decorateClass([
+  action("assignRoleToUser")
+], RbacServiceBase.prototype, "assignRoleToUser", 1);
+__decorateClass([
+  action("assign-roles-to-user")
+], RbacServiceBase.prototype, "assignRolesToUser", 1);
+__decorateClass([
+  action("revokeRoleFromUser")
+], RbacServiceBase.prototype, "revokeRoleFromUser", 1);
+__decorateClass([
+  action("grantScopeToUser")
+], RbacServiceBase.prototype, "grantScopeToUser", 1);
+__decorateClass([
+  action("grant-scopes-to-user")
+], RbacServiceBase.prototype, "grantScopesToUser", 1);
+__decorateClass([
+  action("revokeScopeFromUser")
+], RbacServiceBase.prototype, "revokeScopeFromUser", 1);
+__decorateClass([
+  action("grantScopeToRole")
+], RbacServiceBase.prototype, "grantScopeToRole", 1);
+__decorateClass([
+  action("revokeScopeFromRole")
+], RbacServiceBase.prototype, "revokeScopeFromRole", 1);
+__decorateClass([
+  action("getPermissions")
+], RbacServiceBase.prototype, "getPermissions", 1);
+__decorateClass([
+  action("getUserPermissions")
+], RbacServiceBase.prototype, "getUserPermissions", 1);
+__decorateClass([
+  action("verifyAccess")
+], RbacServiceBase.prototype, "verifyAccess", 1);
+__decorateClass([
+  action("deleteRole")
+], RbacServiceBase.prototype, "deleteRole", 1);
+__decorateClass([
+  action("updateRole")
+], RbacServiceBase.prototype, "updateRole", 1);
+RbacServiceBase = __decorateClass([
+  service("rbac")
+], RbacServiceBase);
+function defineRbacService() {
+  return class RbacService extends RbacServiceBase {
+    constructor(ctx, env) {
+      super(ctx, env);
+    }
+  };
+}
+
+const RbacService = defineRbacService();
+
+export { RbacService as default, defineRbacService };