npm - @elsikora/nestjs-crud-automator - Versions diffs - 1.21.1 → 1.22.0-dev.2 - Mend

@elsikora/nestjs-crud-automator 1.21.1 → 1.22.0-dev.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (600) hide show

package/README.md CHANGED Viewed

@@ -353,53 +353,358 @@ export class UserController {
 }
 ```
-### Declarative Authorization Policies
+### Authorization
-Import `ApiAuthorizationModule` once and describe access rules as policies. The guard is attached automatically—mark controllers with `@ApiControllerSecurable()` to enable policy evaluation.
+Authorization now has two first-class modes:
+- `hooks`: auto-discovered `@ApiAuthorizationPolicy({ entity })` classes
+- `iam`: attachment/document-based IAM evaluation with optional boundaries
+`@ApiControllerSecurable()` is marker-only. It turns on the authorization pipeline, but mode selection and all authorization configuration live in `@ApiController({ authorization: ... })`. Each route uses exactly one mode, and route config can override the controller default with `routes[routeType].authorization.mode`.
+#### Runtime authorization actions
+`@ApiMethod(...)` uses two different action concepts:
+- `action` is a documentation hint for Swagger summaries and descriptions
+- `authorization.action` is the runtime authorization action string used by hooks and IAM
+Auto-generated CRUD routes receive built-in runtime actions automatically:
+- `create`
+- `delete`
+- `get`
+- `getList`
+- `partialUpdate`
+- `update`
+Custom secured routes should declare their own domain-specific action strings:
+```typescript
+@ApiMethod<UserEntity>({
+	action: EApiAction.UPDATE,
+	authorization: {
+		action: "update.promote",
+	},
+	entity: UserEntity,
+	httpCode: HttpStatus.OK,
+	method: RequestMethod.POST,
+	path: ":id/promote",
+	responseType: UserResponseDto,
+})
+public promote(@Param("id") id: string) {
+	return this.service.promote(id);
+}
+```
+The same `authorization.action` value is what hooks receive as `context.action` and what IAM turns into a namespaced action such as `admin:user:update.promote`.
 ```typescript
 // app.module.ts
+import type {
+	IApiAuthorizationPrincipal,
+	IApiHookPermissionSource,
+	IApiPolicyAttachmentSource,
+	IApiPolicyDocumentSource,
+	IApiResolvedPolicyAttachments,
+} from "@elsikora/nestjs-crud-automator";
 import { Module } from "@nestjs/common";
-import { ApiAuthorizationModule } from "@elsikora/nestjs-crud-automator";
+import {
+	ApiAuthorizationModule,
+	EApiAuthorizationPrincipalType,
+	EApiPolicySourceType,
+	AuthorizationResolveDefaultPrincipal,
+} from "@elsikora/nestjs-crud-automator";
+const hookPermissionSource: IApiHookPermissionSource = {
+	async getPermissions(principal: IApiAuthorizationPrincipal): Promise<ReadonlyArray<string>> {
+		const permissions = principal.claims?.permissions;
+		return Array.isArray(permissions)
+			? permissions.filter((value): value is string => typeof value === "string")
+			: [];
+	},
+};
+const iamAttachmentSource: IApiPolicyAttachmentSource = {
+	async getAttachments(principal): Promise<IApiResolvedPolicyAttachments> {
+		return {
+			attachments: [
+				{
+					policyId: "user-items",
+					principalId: principal.id,
+					principalType: principal.type,
+				},
+			],
+			boundaries: [],
+		};
+	},
+};
+const iamDocumentSource: IApiPolicyDocumentSource = {
+	async getDocumentsByIds(ids) {
+		return ids.map((id) => ({
+			document: {
+				Statement: [
+					{
+						Action: ["admin:item:list", "admin:item:read"],
+						Condition: {
+							StringEquals: {
+								"resource.operatorId": "operator-1",
+							},
+						},
+						Effect: "Allow",
+						Resource: ["gameport:admin:item/{id}"],
+						Sid: "AllowOperatorItems",
+					},
+				],
+				Version: "2012-10-17",
+			},
+			id,
+			namespace: "admin:item",
+			sourceType: EApiPolicySourceType.MANAGED,
+			version: "2026-03-14",
+		}));
+	},
+};
 @Module({
 	imports: [
-		/* ... */
-		ApiAuthorizationModule,
+		ApiAuthorizationModule.forRoot({
+			hookPermissionSources: [hookPermissionSource],
+			iam: {
+				attachmentSources: [iamAttachmentSource],
+				documentSources: [iamDocumentSource],
+			},
+			principalResolver: {
+				resolve(user) {
+					if (!user || typeof user !== "object" || !("account" in user)) {
+						return AuthorizationResolveDefaultPrincipal(user);
+					}
+					const payload = user as {
+						account: { id: string; operatorId: string };
+						access: { permissions: Array<string>; roles: Array<string> };
+					};
+					return {
+						attributes: { operatorId: payload.account.operatorId },
+						claims: { permissions: payload.access.permissions },
+						id: payload.account.id,
+						roles: payload.access.roles,
+						type: EApiAuthorizationPrincipalType.USER,
+					};
+				},
+			},
+		}),
 	],
 })
 export class AppModule {}
 ```
-Mark controllers with `@ApiControllerSecurable()` to enable policy evaluation.
+Use `ApiAuthorizationModule.forRootAsync(...)` when the resolver or IAM sources must be real Nest providers with `Repository`, `DataSource`, or service dependencies. The module supports `imports`, `inject`, `useFactory`, `useClass`, and `useExisting`.
 ```typescript
-// policies/user-access.policy.ts
-import type { IApiAuthorizationRuleContext, IApiAuthorizationScope, TApiAuthorizationPolicyBeforeDeleteResult, TApiAuthorizationPolicyBeforeGetResult } from "@elsikora/nestjs-crud-automator";
+// authorization.module.ts
+import { Injectable, Module } from "@nestjs/common";
+import {
+	ApiAuthorizationModule,
+	AuthorizationResolveDefaultPrincipal,
+} from "@elsikora/nestjs-crud-automator";
+@Injectable()
+class DbPrincipalResolver {
+	resolve(user: unknown) {
+		return AuthorizationResolveDefaultPrincipal(user);
+	}
+}
+@Injectable()
+class DbAttachmentSource {
+	// Inject Repository / DataSource / services here
+}
+@Injectable()
+class DbDocumentSource {
+	// Inject Repository / DataSource / services here
+}
-import { ApiAuthorizationPolicy, ApiAuthorizationPolicyBase } from "@elsikora/nestjs-crud-automator";
-import { UserEntity } from "../user.entity";
+@Module({
+	exports: [DbAttachmentSource, DbDocumentSource, DbPrincipalResolver],
+	providers: [DbAttachmentSource, DbDocumentSource, DbPrincipalResolver],
+})
+class AuthorizationSourcesModule {}
+@Module({
+	imports: [
+		AuthorizationSourcesModule,
+		ApiAuthorizationModule.forRootAsync({
+			imports: [AuthorizationSourcesModule],
+			inject: [DbAttachmentSource, DbDocumentSource, DbPrincipalResolver],
+			useFactory: (attachmentSource, documentSource, principalResolver) => ({
+				iam: {
+					attachmentSources: [attachmentSource],
+					documentSources: [documentSource],
+				},
+				principalResolver,
+			}),
+		}),
+	],
+})
+export class AppModule {}
+```
+Use the controller `authorization` block to pick the mode:
+```typescript
+// user.controller.ts
+import {
+	EApiAuthorizationMode,
+	ApiController,
+	ApiControllerSecurable,
+} from "@elsikora/nestjs-crud-automator";
+@ApiControllerSecurable()
+@ApiController<UserEntity>({
+	authorization: {
+		defaultMode: EApiAuthorizationMode.HOOKS,
+	},
+	entity: UserEntity,
+	path: "users",
+})
+export class UserController {
+	constructor(public service: UserService) {}
+}
+```
+Hooks mode keeps entity-based policy autodiscovery:
+```typescript
+// policies/user-hooks.policy.ts
+import type {
+	IApiAuthorizationRuleContext,
+	IApiAuthorizationScope,
+	TApiAuthorizationPolicyBeforeGetListContext,
+	TApiAuthorizationPolicyBeforeUpdateContext,
+} from "@elsikora/nestjs-crud-automator";
+import {
+	EApiAuthorizationPermissionMatch,
+	ApiAuthorizationPolicy,
+	ApiAuthorizationPolicyBase,
+} from "@elsikora/nestjs-crud-automator";
 @ApiAuthorizationPolicy<UserEntity>({ entity: UserEntity, priority: 200 })
-export class UserAccessPolicy extends ApiAuthorizationPolicyBase<UserEntity> {
-	public onBeforeGet(): TApiAuthorizationPolicyBeforeGetResult<UserEntity> {
-		return this.allow({
-			scope: (context: IApiAuthorizationRuleContext<UserEntity>): IApiAuthorizationScope<UserEntity> => ({
-				where: { id: context.subject.id },
+export class UserHooksPolicy extends ApiAuthorizationPolicyBase<UserEntity> {
+	private getOperatorId(principal: IApiAuthorizationRuleContext<UserEntity>["principal"]): string | undefined {
+		return principal.attributes.operatorId as string | undefined;
+	}
+	private scopeToOperator(context: IApiAuthorizationRuleContext<UserEntity>): IApiAuthorizationScope<UserEntity> {
+		return {
+			where: {
+				operatorId: this.getOperatorId(context.principal),
+			},
+		};
+	}
+	public onBeforeGetList(context: TApiAuthorizationPolicyBeforeGetListContext<UserEntity>) {
+		if (context.query.filters?.operatorId && context.query.filters.operatorId !== this.getOperatorId(context.principal)) {
+			return [];
+		}
+		return [
+			...this.allowForRoles(["platform-admin"]),
+			...this.allowForPermissions(["admin.user.read", "admin.user.list"], {
+				match: EApiAuthorizationPermissionMatch.ALL,
+				scope: (ruleContext: IApiAuthorizationRuleContext<UserEntity>): IApiAuthorizationScope<UserEntity> => this.scopeToOperator(ruleContext),
 			}),
-		});
+		];
 	}
-	public onBeforeDelete(): TApiAuthorizationPolicyBeforeDeleteResult<UserEntity> {
-		return this.deny({
-			description: "Only admins can delete users",
-			condition: (context: IApiAuthorizationRuleContext<UserEntity>): boolean => !context.subject.roles.includes("admin"),
-		});
+	public onBeforeUpdate(_context: TApiAuthorizationPolicyBeforeUpdateContext<UserEntity>) {
+		return [
+			...this.allowForPermissions(["admin.user.update"], {
+				scope: (ruleContext: IApiAuthorizationRuleContext<UserEntity>): IApiAuthorizationScope<UserEntity> => this.scopeToOperator(ruleContext),
+			}),
+			...this.denyForPermissions(["admin.user.update"], {
+				condition: ({ principal }: IApiAuthorizationRuleContext<UserEntity>): boolean => Boolean(principal.attributes.isOperatorLocked),
+				priority: 1000,
+			}),
+		];
+	}
+}
+```
+Generated CRUD routes dispatch to CRUD hooks such as `onBeforeGetList` or `onBeforeUpdate` using the internal `routeType`. Custom `@ApiMethod(...)` routes do not use CRUD hook names; handle them in `getCustomActionRule(action, context)` instead:
+```typescript
+public getCustomActionRule(action: string) {
+	if (action === "update.promote") {
+		return this.allowForPermissions(["admin.user.promote"]);
 	}
+	return [];
 }
 ```
-Policies return arrays of allow/deny rules, merge scope conditions into generated queries, and transform responses before they are sent back to the client. Return an empty array (`[]`) when no rules apply. `authorizationDecision.policyIds` lists all policy IDs contributing rules for the request. You can optionally enable policy caching globally via `ApiAuthorizationPolicyRegistry.configureCache()` or per policy via the `cache` option when policies are static.
+IAM mode stays storage-agnostic. Attachments and documents come from your configured sources, while the controller defines the resource model used for action/resource matching and safe query planning:
+```typescript
+@ApiControllerSecurable()
+@ApiController<ItemEntity>({
+	authorization: {
+		defaultMode: EApiAuthorizationMode.IAM,
+		policyNamespace: "admin:item",
+		resourceDefinition: {
+			entity: ItemEntity,
+			fields: [
+				{
+					isFilterable: true,
+					path: "resource.id",
+					queryPath: "id",
+				},
+				{
+					isFilterable: true,
+					path: "resource.operatorId",
+					queryPath: "operator.id",
+				},
+			],
+			namespace: "admin:item",
+			resourcePath: "gameport:admin:item/{id}",
+			resourceType: "gameport:admin:item",
+		},
+	},
+	entity: ItemEntity,
+	path: "items",
+})
+export class ItemController {
+	constructor(public service: ItemService) {}
+}
+```
+Generated CRUD actions are normalized to IAM-friendly names inside the configured namespace:
+- `get` -> `<policyNamespace>:read`
+- `getList` -> `<policyNamespace>:list`
+- `create` -> `<policyNamespace>:create`
+- `update` / `partialUpdate` -> `<policyNamespace>:update`
+- `delete` -> `<policyNamespace>:delete`
+Custom `@ApiMethod(...)` actions pass through unchanged after the namespace. For example, `authorization.action: "update.promote"` becomes `admin:item:update.promote` when `policyNamespace` is `admin:item`.
+The runtime resolves a `principal`, dispatches to the selected mode, and stores a unified `authorizationDecision` on the request. Hooks mode traces matched rules and resolved permissions; IAM mode traces attachments, documents, statements, boundaries, and final decision type. For out-of-band checks, inject `ApiAuthorizationSimulator` and call `evaluate(...)` with the same controller authorization metadata you use at runtime.
+Important IAM details from the current implementation:
+- `resource.id` and `resource.operatorId` are safe planner-friendly paths for `GET` and `GET_LIST` when declared in `resourceDefinition.fields`
+- `queryPath` may be nested, for example `operator.id`, when your repository where-shape uses relations
+- route filters and authorization scopes are merged with logical `AND`, not overwrite semantics
+- impossible conflicts collapse to a match-nothing branch instead of rewriting the requested filter
+- relation payloads can be raw UUID strings, so create/update conditions like `request.body.operator = "${principal.attributes.operatorId}"` work without hooks fallback
 ### `CorrelationIDResponseBodyInterceptor`: Request Tracing
@@ -646,33 +951,35 @@ This query would search for users with "john" in their username and created betw
 ## Roadmap
-| Task / Feature                             | Status         |
-| ------------------------------------------ | -------------- |
-| Core CRUD operations                       | ✅ Done        |
-| TypeORM integration                        | ✅ Done        |
-| Swagger/OpenAPI documentation              | ✅ Done        |
-| Validation with class-validator            | ✅ Done        |
-| Transformation with class-transformer      | ✅ Done        |
-| Advanced filtering for GET_LIST operation  | ✅ Done        |
-| Authentication guard integration           | ✅ Done        |
-| Request/response transformers              | ✅ Done        |
-| Relation loading strategies                | ✅ Done        |
-| Custom validator integration               | ✅ Done        |
-| Pagination support                         | ✅ Done        |
-| Error handling with standardized responses | ✅ Done        |
-| Support for TypeScript decorators          | ✅ Done        |
-| Support for ESM and CommonJS modules       | ✅ Done        |
-| Subscriber System                          | ✅ Done        |
-| Role-based access control                  | ✅ Done        |
-| MongoDB support                            | 🚧 In Progress |
-| GraphQL integration                        | 🚧 In Progress |
-| Support for soft deletes                   | 🚧 In Progress |
-| Cache integration                          | 🚧 In Progress |
-| Audit logging middleware                   | 🚧 In Progress |
-| Bulk operations (create many, update many) | 🚧 In Progress |
-| Query complexity analyzer                  | 🚧 In Progress |
-| Rate limiting enhancements                 | 🚧 In Progress |
-| Custom parameter decorators                | 🚧 In Progress |
+| Task / Feature                              | Status         |
+| ------------------------------------------- | -------------- |
+| Core CRUD operations                        | ✅ Done        |
+| TypeORM integration                         | ✅ Done        |
+| Swagger/OpenAPI documentation               | ✅ Done        |
+| Validation with class-validator             | ✅ Done        |
+| Transformation with class-transformer       | ✅ Done        |
+| Advanced filtering for GET_LIST operation   | ✅ Done        |
+| Authentication guard integration            | ✅ Done        |
+| Request/response transformers               | ✅ Done        |
+| Relation loading strategies                 | ✅ Done        |
+| Custom validator integration                | ✅ Done        |
+| Pagination support                          | ✅ Done        |
+| Error handling with standardized responses  | ✅ Done        |
+| Support for TypeScript decorators           | ✅ Done        |
+| Support for ESM and CommonJS modules        | ✅ Done        |
+| Subscriber System                           | ✅ Done        |
+| Hooks and IAM authorization pipeline        | ✅ Done        |
+| DI-backed authorization bootstrap           | ✅ Done        |
+| Scope-safe authorization filtering          | ✅ Done        |
+| MongoDB support                             | 🚧 In Progress |
+| GraphQL integration                         | 🚧 In Progress |
+| Support for soft deletes                    | 🚧 In Progress |
+| Cache integration                           | 🚧 In Progress |
+| Audit logging middleware                    | 🚧 In Progress |
+| Bulk operations (create many, update many)  | 🚧 In Progress |
+| Query complexity analyzer                   | 🚧 In Progress |
+| Rate limiting enhancements                  | 🚧 In Progress |
+| Custom parameter decorators                 | 🚧 In Progress |
 ## ❓ FAQ

package/dist/cjs/class/api/authorization/bootstrap-validation.service.class.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import { OnApplicationBootstrap } from "@nestjs/common";
+import { DiscoveryService } from "@nestjs/core";
+import { ApiAuthorizationPolicyRegistry } from './policy/registry.class';
+export declare class ApiAuthorizationBootstrapValidationService implements OnApplicationBootstrap {
+    private readonly discoveryService;
+    private readonly policyRegistry;
+    private readonly documentSources;
+    constructor(discoveryService: DiscoveryService, policyRegistry: ApiAuthorizationPolicyRegistry, documentSources?: ReadonlyArray<unknown>);
+    onApplicationBootstrap(): void;
+    private assertValidMode;
+    private validateController;
+    private validateResourceDefinition;
+}

package/dist/cjs/class/api/authorization/bootstrap-validation.service.class.js ADDED Viewed

@@ -0,0 +1,155 @@
+'use strict';
+var tslib_es6 = require('../../../external/tslib/tslib.es6.js');
+var documentSourcesToken_constant = require('../../../constant/class/authorization/policy/document-sources-token.constant.js');
+var controller_constant = require('../../../constant/decorator/api/controller.constant.js');
+require('../../../enum/class/authorization/decision-type.enum.js');
+require('../../../enum/class/authorization/effect.enum.js');
+var mode_enum = require('../../../enum/class/authorization/mode.enum.js');
+require('../../../enum/class/authorization/permission-match.enum.js');
+require('../../../enum/class/authorization/policy/attachment-type.enum.js');
+require('../../../enum/class/authorization/policy/on-type.enum.js');
+require('../../../enum/class/authorization/policy/source-type.enum.js');
+require('../../../enum/class/authorization/policy/status.enum.js');
+require('../../../enum/class/authorization/principal-type.enum.js');
+var routeType_enum = require('../../../enum/decorator/api/route-type.enum.js');
+var common = require('@nestjs/common');
+var core = require('@nestjs/core');
+var exception_utility = require('../../../utility/error/exception.utility.js');
+var logger_utility = require('../../../utility/logger.utility.js');
+var registry_class = require('./policy/registry.class.js');
+const authorizationBootstrapValidationLogger = logger_utility.LoggerUtility.getLogger("ApiAuthorizationBootstrapValidationService");
+exports.ApiAuthorizationBootstrapValidationService = class ApiAuthorizationBootstrapValidationService {
+    discoveryService;
+    policyRegistry;
+    documentSources;
+    constructor(discoveryService, policyRegistry, documentSources = []) {
+        this.discoveryService = discoveryService;
+        this.policyRegistry = policyRegistry;
+        this.documentSources = documentSources;
+    }
+    onApplicationBootstrap() {
+        const controllerWrappers = this.discoveryService.getControllers();
+        authorizationBootstrapValidationLogger.verbose(`Starting authorization bootstrap validation for ${controllerWrappers.length} controllers.`);
+        for (const controllerWrapper of controllerWrappers) {
+            this.validateController(controllerWrapper);
+        }
+        authorizationBootstrapValidationLogger.verbose("Authorization bootstrap validation finished.");
+    }
+    assertValidMode(mode, controllerName, routeType) {
+        if (mode === mode_enum.EApiAuthorizationMode.HOOKS || mode === mode_enum.EApiAuthorizationMode.IAM) {
+            return;
+        }
+        if (routeType) {
+            authorizationBootstrapValidationLogger.error(`Controller "${controllerName}" route "${routeType}" uses unknown authorization mode "${String(mode)}"`);
+            throw exception_utility.ErrorException(`Controller "${controllerName}" route "${routeType}" uses unknown authorization mode "${String(mode)}"`);
+        }
+        authorizationBootstrapValidationLogger.error(`Controller "${controllerName}" uses unknown authorization mode "${String(mode)}"`);
+        throw exception_utility.ErrorException(`Controller "${controllerName}" uses unknown authorization mode "${String(mode)}"`);
+    }
+    validateController(controllerWrapper) {
+        const metatype = controllerWrapper.metatype;
+        if (!metatype) {
+            return;
+        }
+        authorizationBootstrapValidationLogger.verbose(`Validating authorization configuration for controller "${metatype.name}".`);
+        const isSecurable = Boolean(Reflect.getMetadata(controller_constant.CONTROLLER_API_DECORATOR_CONSTANT.SECURABLE_METADATA_KEY, metatype));
+        const properties = Reflect.getMetadata(controller_constant.CONTROLLER_API_DECORATOR_CONSTANT.PROPERTIES_METADATA_KEY, metatype);
+        const authorization = properties?.authorization;
+        if (isSecurable && !authorization) {
+            authorizationBootstrapValidationLogger.error(`Controller "${metatype.name}" is marked with @ApiControllerSecurable() but does not declare an authorization block`);
+            throw exception_utility.ErrorException(`Controller "${metatype.name}" is marked with @ApiControllerSecurable() but does not declare an authorization block`);
+        }
+        if (!isSecurable && authorization) {
+            authorizationBootstrapValidationLogger.error(`Controller "${metatype.name}" declares an authorization block but is missing @ApiControllerSecurable()`);
+            throw exception_utility.ErrorException(`Controller "${metatype.name}" declares an authorization block but is missing @ApiControllerSecurable()`);
+        }
+        if (!authorization || !properties) {
+            return;
+        }
+        this.assertValidMode(authorization.defaultMode, metatype.name);
+        const enabledRouteTypes = Object.values(routeType_enum.EApiRouteType).filter((routeType) => properties.routes[routeType]?.isEnabled !== false);
+        const enabledRouteModes = new Set(enabledRouteTypes.map((routeType) => properties.routes[routeType]?.authorization?.mode ?? authorization.defaultMode));
+        const usesHooks = enabledRouteModes.has(mode_enum.EApiAuthorizationMode.HOOKS);
+        const usesIam = enabledRouteModes.has(mode_enum.EApiAuthorizationMode.IAM);
+        for (const routeType of enabledRouteTypes) {
+            const routeMode = properties.routes[routeType]?.authorization?.mode ?? authorization.defaultMode;
+            this.assertValidMode(routeMode, metatype.name, routeType);
+        }
+        if (usesHooks && !this.policyRegistry.hasSubscriberForEntity(properties.entity)) {
+            authorizationBootstrapValidationLogger.error(`Controller "${metatype.name}" uses hooks authorization but no @ApiAuthorizationPolicy(...) is registered for entity "${properties.entity.name ?? "UnknownEntity"}"`);
+            throw exception_utility.ErrorException(`Controller "${metatype.name}" uses hooks authorization but no @ApiAuthorizationPolicy(...) is registered for entity "${properties.entity.name ?? "UnknownEntity"}"`);
+        }
+        if (usesIam) {
+            if (!authorization.policyNamespace) {
+                authorizationBootstrapValidationLogger.error(`Controller "${metatype.name}" uses IAM authorization but does not declare policyNamespace`);
+                throw exception_utility.ErrorException(`Controller "${metatype.name}" uses IAM authorization but does not declare policyNamespace`);
+            }
+            if (!authorization.resourceDefinition) {
+                authorizationBootstrapValidationLogger.error(`Controller "${metatype.name}" uses IAM authorization but does not declare resourceDefinition`);
+                throw exception_utility.ErrorException(`Controller "${metatype.name}" uses IAM authorization but does not declare resourceDefinition`);
+            }
+            if (this.documentSources.length === 0) {
+                authorizationBootstrapValidationLogger.error(`Controller "${metatype.name}" uses IAM authorization but no documentSources are registered`);
+                throw exception_utility.ErrorException(`Controller "${metatype.name}" uses IAM authorization but no documentSources are registered`);
+            }
+            if (authorization.resourceDefinition.namespace !== authorization.policyNamespace) {
+                authorizationBootstrapValidationLogger.error(`Controller "${metatype.name}" resourceDefinition namespace must match policyNamespace`);
+                throw exception_utility.ErrorException(`Controller "${metatype.name}" resourceDefinition namespace must match policyNamespace`);
+            }
+            if (authorization.resourceDefinition.entity !== properties.entity) {
+                authorizationBootstrapValidationLogger.error(`Controller "${metatype.name}" resourceDefinition entity must match controller entity`);
+                throw exception_utility.ErrorException(`Controller "${metatype.name}" resourceDefinition entity must match controller entity`);
+            }
+            this.validateResourceDefinition(metatype.name, authorization.resourceDefinition);
+        }
+    }
+    validateResourceDefinition(controllerName, resourceDefinition) {
+        if (!resourceDefinition) {
+            return;
+        }
+        if (typeof resourceDefinition.namespace !== "string" || resourceDefinition.namespace.length === 0) {
+            authorizationBootstrapValidationLogger.error(`Controller "${controllerName}" resourceDefinition.namespace must be a non-empty string`);
+            throw exception_utility.ErrorException(`Controller "${controllerName}" resourceDefinition.namespace must be a non-empty string`);
+        }
+        if (typeof resourceDefinition.resourceType !== "string" || resourceDefinition.resourceType.length === 0) {
+            authorizationBootstrapValidationLogger.error(`Controller "${controllerName}" resourceDefinition.resourceType must be a non-empty string`);
+            throw exception_utility.ErrorException(`Controller "${controllerName}" resourceDefinition.resourceType must be a non-empty string`);
+        }
+        if (typeof resourceDefinition.resourcePath !== "string" || resourceDefinition.resourcePath.length === 0) {
+            authorizationBootstrapValidationLogger.error(`Controller "${controllerName}" resourceDefinition.resourcePath must be a non-empty string`);
+            throw exception_utility.ErrorException(`Controller "${controllerName}" resourceDefinition.resourcePath must be a non-empty string`);
+        }
+        const fieldPaths = new Set();
+        const queryPaths = new Set();
+        for (const field of resourceDefinition.fields) {
+            if (!field.path.startsWith("resource.")) {
+                authorizationBootstrapValidationLogger.error(`Controller "${controllerName}" resource field path "${field.path}" must start with "resource."`);
+                throw exception_utility.ErrorException(`Controller "${controllerName}" resource field path "${field.path}" must start with "resource."`);
+            }
+            if (field.path.length === 0 || field.queryPath.length === 0) {
+                authorizationBootstrapValidationLogger.error(`Controller "${controllerName}" resource field mappings must use non-empty path and queryPath`);
+                throw exception_utility.ErrorException(`Controller "${controllerName}" resource field mappings must use non-empty path and queryPath`);
+            }
+            if (fieldPaths.has(field.path)) {
+                authorizationBootstrapValidationLogger.error(`Controller "${controllerName}" resourceDefinition contains duplicate field path "${field.path}"`);
+                throw exception_utility.ErrorException(`Controller "${controllerName}" resourceDefinition contains duplicate field path "${field.path}"`);
+            }
+            if (queryPaths.has(field.queryPath)) {
+                authorizationBootstrapValidationLogger.error(`Controller "${controllerName}" resourceDefinition contains duplicate queryPath "${field.queryPath}"`);
+                throw exception_utility.ErrorException(`Controller "${controllerName}" resourceDefinition contains duplicate queryPath "${field.queryPath}"`);
+            }
+            fieldPaths.add(field.path);
+            queryPaths.add(field.queryPath);
+        }
+    }
+};
+exports.ApiAuthorizationBootstrapValidationService = tslib_es6.__decorate([
+    common.Injectable(),
+    tslib_es6.__param(2, common.Optional()),
+    tslib_es6.__param(2, common.Inject(documentSourcesToken_constant.AUTHORIZATION_POLICY_DOCUMENT_SOURCES_TOKEN)),
+    tslib_es6.__metadata("design:paramtypes", [core.DiscoveryService,
+        registry_class.ApiAuthorizationPolicyRegistry, Array])
+], exports.ApiAuthorizationBootstrapValidationService);
+//# sourceMappingURL=bootstrap-validation.service.class.js.map

package/dist/cjs/class/api/authorization/bootstrap-validation.service.class.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"bootstrap-validation.service.class.js","sources":["../../../../../../src/class/api/authorization/bootstrap-validation.service.class.ts"],"sourcesContent":[null],"names":["LoggerUtility","ApiAuthorizationBootstrapValidationService","EApiAuthorizationMode","ErrorException","CONTROLLER_API_DECORATOR_CONSTANT","EApiRouteType","__decorate","Injectable","__param","Optional","Inject","AUTHORIZATION_POLICY_DOCUMENT_SOURCES_TOKEN","DiscoveryService","ApiAuthorizationPolicyRegistry"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAeA,MAAM,sCAAsC,GAAkBA,4BAAa,CAAC,SAAS,CAAC,4CAA4C,CAAC;AAGtHC,kDAA0C,GAAhD,MAAM,0CAA0C,CAAA;AAEpC,IAAA,gBAAA;AACA,IAAA,cAAA;AAGA,IAAA,eAAA;AALlB,IAAA,WAAA,CACkB,gBAAkC,EAClC,cAA8C,EAG9C,kBAA0C,EAAE,EAAA;QAJ5C,IAAA,CAAA,gBAAgB,GAAhB,gBAAgB;QAChB,IAAA,CAAA,cAAc,GAAd,cAAc;QAGd,IAAA,CAAA,eAAe,GAAf,eAAe;IAC9B;IAEI,sBAAsB,GAAA;QAC5B,MAAM,kBAAkB,GAA2B,IAAI,CAAC,gBAAgB,CAAC,cAAc,EAAE;QAEzF,sCAAsC,CAAC,OAAO,CAAC,CAAA,gDAAA,EAAmD,kBAAkB,CAAC,MAAM,CAAA,aAAA,CAAe,CAAC;AAE3I,QAAA,KAAK,MAAM,iBAAiB,IAAI,kBAAkB,EAAE;AACnD,YAAA,IAAI,CAAC,kBAAkB,CAAC,iBAAiB,CAAC;QAC3C;AAEA,QAAA,sCAAsC,CAAC,OAAO,CAAC,8CAA8C,CAAC;IAC/F;AAEQ,IAAA,eAAe,CAAC,IAAa,EAAE,cAAsB,EAAE,SAAyB,EAAA;AACvF,QAAA,IAAI,IAAI,KAAKC,+BAAqB,CAAC,KAAK,IAAI,IAAI,KAAKA,+BAAqB,CAAC,GAAG,EAAE;YAC/E;QACD;QAEA,IAAI,SAAS,EAAE;AACd,YAAA,sCAAsC,CAAC,KAAK,CAAC,CAAA,YAAA,EAAe,cAAc,CAAA,SAAA,EAAY,SAAS,CAAA,mCAAA,EAAsC,MAAM,CAAC,IAAI,CAAC,CAAA,CAAA,CAAG,CAAC;AAErJ,YAAA,MAAMC,gCAAc,CAAC,CAAA,YAAA,EAAe,cAAc,CAAA,SAAA,EAAY,SAAS,CAAA,mCAAA,EAAsC,MAAM,CAAC,IAAI,CAAC,CAAA,CAAA,CAAG,CAAC;QAC9H;AAEA,QAAA,sCAAsC,CAAC,KAAK,CAAC,CAAA,YAAA,EAAe,cAAc,CAAA,mCAAA,EAAsC,MAAM,CAAC,IAAI,CAAC,CAAA,CAAA,CAAG,CAAC;QAEhI,MAAMA,gCAAc,CAAC,CAAA,YAAA,EAAe,cAAc,CAAA,mCAAA,EAAsC,MAAM,CAAC,IAAI,CAAC,CAAA,CAAA,CAAG,CAAC;IACzG;AAEQ,IAAA,kBAAkB,CAAC,iBAAkC,EAAA;AAC5D,QAAA,MAAM,QAAQ,GAA4D,iBAAiB,CAAC,QAAmE;QAE/J,IAAI,CAAC,QAAQ,EAAE;YACd;QACD;QAEA,sCAAsC,CAAC,OAAO,CAAC,CAAA,uDAAA,EAA0D,QAAQ,CAAC,IAAI,CAAA,EAAA,CAAI,CAAC;AAE3H,QAAA,MAAM,WAAW,GAAY,OAAO,CAAC,OAAO,CAAC,WAAW,CAACC,qDAAiC,CAAC,sBAAsB,EAAE,QAAQ,CAAC,CAAC;AAC7H,QAAA,MAAM,UAAU,GAAyD,OAAO,CAAC,WAAW,CAACA,qDAAiC,CAAC,uBAAuB,EAAE,QAAQ,CAAyD;AACzN,QAAA,MAAM,aAAa,GAA0E,UAAU,EAAE,aAAa;AAEtH,QAAA,IAAI,WAAW,IAAI,CAAC,aAAa,EAAE;YAClC,sCAAsC,CAAC,KAAK,CAAC,CAAA,YAAA,EAAe,QAAQ,CAAC,IAAI,CAAA,sFAAA,CAAwF,CAAC;YAElK,MAAMD,gCAAc,CAAC,CAAA,YAAA,EAAe,QAAQ,CAAC,IAAI,CAAA,sFAAA,CAAwF,CAAC;QAC3I;AAEA,QAAA,IAAI,CAAC,WAAW,IAAI,aAAa,EAAE;YAClC,sCAAsC,CAAC,KAAK,CAAC,CAAA,YAAA,EAAe,QAAQ,CAAC,IAAI,CAAA,0EAAA,CAA4E,CAAC;YAEtJ,MAAMA,gCAAc,CAAC,CAAA,YAAA,EAAe,QAAQ,CAAC,IAAI,CAAA,0EAAA,CAA4E,CAAC;QAC/H;AAEA,QAAA,IAAI,CAAC,aAAa,IAAI,CAAC,UAAU,EAAE;YAClC;QACD;QAEA,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,WAAW,EAAE,QAAQ,CAAC,IAAI,CAAC;QAE9D,MAAM,iBAAiB,GAAyB,MAAM,CAAC,MAAM,CAACE,4BAAa,CAAC,CAAC,MAAM,CAAC,CAAC,SAAwB,KAAK,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,SAAS,KAAK,KAAK,CAAC;AACpK,QAAA,MAAM,iBAAiB,GAA+B,IAAI,GAAG,CAAwB,iBAAiB,CAAC,GAAG,CAAC,CAAC,SAAwB,KAAK,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,aAAa,EAAE,IAAI,IAAI,aAAa,CAAC,WAAW,CAAC,CAAC;QACzN,MAAM,SAAS,GAAY,iBAAiB,CAAC,GAAG,CAACH,+BAAqB,CAAC,KAAK,CAAC;QAC7E,MAAM,OAAO,GAAY,iBAAiB,CAAC,GAAG,CAACA,+BAAqB,CAAC,GAAG,CAAC;AAEzE,QAAA,KAAK,MAAM,SAAS,IAAI,iBAAiB,EAAE;AAC1C,YAAA,MAAM,SAAS,GAA0B,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,aAAa,EAAE,IAAI,IAAI,aAAa,CAAC,WAAW;YACvH,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;QAC1D;AAEA,QAAA,IAAI,SAAS,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,sBAAsB,CAAC,UAAU,CAAC,MAA6C,CAAC,EAAE;AACvH,YAAA,sCAAsC,CAAC,KAAK,CAAC,CAAA,YAAA,EAAe,QAAQ,CAAC,IAAI,CAAA,yFAAA,EAA4F,UAAU,CAAC,MAAM,CAAC,IAAI,IAAI,eAAe,CAAA,CAAA,CAAG,CAAC;AAElN,YAAA,MAAMC,gCAAc,CAAC,CAAA,YAAA,EAAe,QAAQ,CAAC,IAAI,CAAA,yFAAA,EAA4F,UAAU,CAAC,MAAM,CAAC,IAAI,IAAI,eAAe,CAAA,CAAA,CAAG,CAAC;QAC3L;QAEA,IAAI,OAAO,EAAE;AACZ,YAAA,IAAI,CAAC,aAAa,CAAC,eAAe,EAAE;gBACnC,sCAAsC,CAAC,KAAK,CAAC,CAAA,YAAA,EAAe,QAAQ,CAAC,IAAI,CAAA,6DAAA,CAA+D,CAAC;gBAEzI,MAAMA,gCAAc,CAAC,CAAA,YAAA,EAAe,QAAQ,CAAC,IAAI,CAAA,6DAAA,CAA+D,CAAC;YAClH;AAEA,YAAA,IAAI,CAAC,aAAa,CAAC,kBAAkB,EAAE;gBACtC,sCAAsC,CAAC,KAAK,CAAC,CAAA,YAAA,EAAe,QAAQ,CAAC,IAAI,CAAA,gEAAA,CAAkE,CAAC;gBAE5I,MAAMA,gCAAc,CAAC,CAAA,YAAA,EAAe,QAAQ,CAAC,IAAI,CAAA,gEAAA,CAAkE,CAAC;YACrH;YAEA,IAAI,IAAI,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE;gBACtC,sCAAsC,CAAC,KAAK,CAAC,CAAA,YAAA,EAAe,QAAQ,CAAC,IAAI,CAAA,8DAAA,CAAgE,CAAC;gBAE1I,MAAMA,gCAAc,CAAC,CAAA,YAAA,EAAe,QAAQ,CAAC,IAAI,CAAA,8DAAA,CAAgE,CAAC;YACnH;YAEA,IAAI,aAAa,CAAC,kBAAkB,CAAC,SAAS,KAAK,aAAa,CAAC,eAAe,EAAE;gBACjF,sCAAsC,CAAC,KAAK,CAAC,CAAA,YAAA,EAAe,QAAQ,CAAC,IAAI,CAAA,yDAAA,CAA2D,CAAC;gBAErI,MAAMA,gCAAc,CAAC,CAAA,YAAA,EAAe,QAAQ,CAAC,IAAI,CAAA,yDAAA,CAA2D,CAAC;YAC9G;YAEA,IAAI,aAAa,CAAC,kBAAkB,CAAC,MAAM,KAAK,UAAU,CAAC,MAAM,EAAE;gBAClE,sCAAsC,CAAC,KAAK,CAAC,CAAA,YAAA,EAAe,QAAQ,CAAC,IAAI,CAAA,wDAAA,CAA0D,CAAC;gBAEpI,MAAMA,gCAAc,CAAC,CAAA,YAAA,EAAe,QAAQ,CAAC,IAAI,CAAA,wDAAA,CAA0D,CAAC;YAC7G;YAEA,IAAI,CAAC,0BAA0B,CAAC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,kBAAkB,CAAC;QACjF;IACD;IAEQ,0BAA0B,CAAC,cAAsB,EAAE,kBAAgH,EAAA;QAC1K,IAAI,CAAC,kBAAkB,EAAE;YACxB;QACD;AAEA,QAAA,IAAI,OAAO,kBAAkB,CAAC,SAAS,KAAK,QAAQ,IAAI,kBAAkB,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE;AAClG,YAAA,sCAAsC,CAAC,KAAK,CAAC,eAAe,cAAc,CAAA,yDAAA,CAA2D,CAAC;AAEtI,YAAA,MAAMA,gCAAc,CAAC,CAAA,YAAA,EAAe,cAAc,CAAA,yDAAA,CAA2D,CAAC;QAC/G;AAEA,QAAA,IAAI,OAAO,kBAAkB,CAAC,YAAY,KAAK,QAAQ,IAAI,kBAAkB,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE;AACxG,YAAA,sCAAsC,CAAC,KAAK,CAAC,eAAe,cAAc,CAAA,4DAAA,CAA8D,CAAC;AAEzI,YAAA,MAAMA,gCAAc,CAAC,CAAA,YAAA,EAAe,cAAc,CAAA,4DAAA,CAA8D,CAAC;QAClH;AAEA,QAAA,IAAI,OAAO,kBAAkB,CAAC,YAAY,KAAK,QAAQ,IAAI,kBAAkB,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE;AACxG,YAAA,sCAAsC,CAAC,KAAK,CAAC,eAAe,cAAc,CAAA,4DAAA,CAA8D,CAAC;AAEzI,YAAA,MAAMA,gCAAc,CAAC,CAAA,YAAA,EAAe,cAAc,CAAA,4DAAA,CAA8D,CAAC;QAClH;AAEA,QAAA,MAAM,UAAU,GAAgB,IAAI,GAAG,EAAU;AACjD,QAAA,MAAM,UAAU,GAAgB,IAAI,GAAG,EAAU;AAEjD,QAAA,KAAK,MAAM,KAAK,IAAI,kBAAkB,CAAC,MAAM,EAAE;YAC9C,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE;gBACxC,sCAAsC,CAAC,KAAK,CAAC,CAAA,YAAA,EAAe,cAAc,CAAA,uBAAA,EAA0B,KAAK,CAAC,IAAI,CAAA,6BAAA,CAA+B,CAAC;gBAE9I,MAAMA,gCAAc,CAAC,CAAA,YAAA,EAAe,cAAc,CAAA,uBAAA,EAA0B,KAAK,CAAC,IAAI,CAAA,6BAAA,CAA+B,CAAC;YACvH;AAEA,YAAA,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE;AAC5D,gBAAA,sCAAsC,CAAC,KAAK,CAAC,eAAe,cAAc,CAAA,+DAAA,CAAiE,CAAC;AAE5I,gBAAA,MAAMA,gCAAc,CAAC,CAAA,YAAA,EAAe,cAAc,CAAA,+DAAA,CAAiE,CAAC;YACrH;YAEA,IAAI,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE;gBAC/B,sCAAsC,CAAC,KAAK,CAAC,CAAA,YAAA,EAAe,cAAc,CAAA,oDAAA,EAAuD,KAAK,CAAC,IAAI,CAAA,CAAA,CAAG,CAAC;gBAE/I,MAAMA,gCAAc,CAAC,CAAA,YAAA,EAAe,cAAc,CAAA,oDAAA,EAAuD,KAAK,CAAC,IAAI,CAAA,CAAA,CAAG,CAAC;YACxH;YAEA,IAAI,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE;gBACpC,sCAAsC,CAAC,KAAK,CAAC,CAAA,YAAA,EAAe,cAAc,CAAA,mDAAA,EAAsD,KAAK,CAAC,SAAS,CAAA,CAAA,CAAG,CAAC;gBAEnJ,MAAMA,gCAAc,CAAC,CAAA,YAAA,EAAe,cAAc,CAAA,mDAAA,EAAsD,KAAK,CAAC,SAAS,CAAA,CAAA,CAAG,CAAC;YAC5H;AAEA,YAAA,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;AAC1B,YAAA,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC;QAChC;IACD;;AA7KYF,kDAA0C,GAAAK,oBAAA,CAAA;AADtD,IAAAC,iBAAU,EAAE;IAKVC,iBAAA,CAAA,CAAA,EAAAC,eAAQ,EAAE,CAAA;AACV,IAAAD,iBAAA,CAAA,CAAA,EAAAE,aAAM,CAACC,yEAA2C,CAAC,CAAA;+CAHjBC,qBAAgB;QAClBC,6CAA8B,EAAA,KAAA,CAAA;AAHpD,CAAA,EAAAZ,kDAA0C,CA8KtD;;"}