@flowerforce/flowerbase 1.0.2 → 1.0.3-beta.0

package/src/services/mongodb-atlas/index.ts

@@ -3,8 +3,8 @@ import isEqual from 'lodash/isEqual'
 import { Collection, Document, EventsDescription, FindCursor, WithId } from 'mongodb'
 import { checkValidation } from '../../utils/roles/machines'
 import { getWinningRole } from '../../utils/roles/machines/utils'
-import { GetOperatorsFunction, MongodbAtlasFunction } from './model'
-import { getFormattedQuery } from './utils'
+import { CRUD_OPERATIONS, GetOperatorsFunction, MongodbAtlasFunction } from './model'
+import { applyAccessControlToPipeline, checkDenyOperation, getFormattedProjection, getFormattedQuery } from './utils'
 
 //TODO aggiungere no-sql inject security
 const getOperators: GetOperatorsFunction = (
@@ -28,6 +28,7 @@ const getOperators: GetOperatorsFunction = (
    */
   findOne: async (query) => {
     if (!run_as_system) {
+      checkDenyOperation(rules, collection.collectionName, CRUD_OPERATIONS.READ)
       const { filters, roles } = rules[collName] || {}
 
       // Apply access control filters to the query
@@ -75,6 +76,7 @@ const getOperators: GetOperatorsFunction = (
    */
   deleteOne: async (query = {}) => {
     if (!run_as_system) {
+      checkDenyOperation(rules, collection.collectionName, CRUD_OPERATIONS.DELETE)
       const { filters, roles } = rules[collName] || {}
 
       // Apply access control filters
@@ -129,6 +131,7 @@ const getOperators: GetOperatorsFunction = (
     const { roles } = rules[collName] || {}
 
     if (!run_as_system) {
+      checkDenyOperation(rules, collection.collectionName, CRUD_OPERATIONS.CREATE)
       const winningRole = getWinningRole(data, user, roles)
 
       const { status, document } = winningRole
@@ -175,6 +178,7 @@ const getOperators: GetOperatorsFunction = (
    */
   updateOne: async (query, data, options) => {
     if (!run_as_system) {
+      checkDenyOperation(rules, collection.collectionName, CRUD_OPERATIONS.UPDATE)
       const { filters, roles } = rules[collName] || {}
       // Apply access control filters
       const formattedQuery = getFormattedQuery(filters, query, user)
@@ -252,12 +256,13 @@ const getOperators: GetOperatorsFunction = (
    */
   find: (query) => {
     if (!run_as_system) {
+      checkDenyOperation(rules, collection.collectionName, CRUD_OPERATIONS.READ)
       const { filters, roles } = rules[collName] || {}
 
       // Pre-query filtering based on access control rules
       const formattedQuery = getFormattedQuery(filters, query, user)
+      // aggiunto filter per evitare questo errore: $and argument's entries must be objects
       const originalCursor = collection.find({ $and: formattedQuery })
-
       // Clone the cursor to override `toArray` with post-query validation
       const client = originalCursor[
         'client' as keyof typeof originalCursor
@@ -322,6 +327,7 @@ const getOperators: GetOperatorsFunction = (
    */
   watch: (pipeline = [], options) => {
     if (!run_as_system) {
+      checkDenyOperation(rules, collection.collectionName, CRUD_OPERATIONS.READ)
       const { filters, roles } = rules[collName] || {}
 
       // Apply access filters to initial change stream pipeline
@@ -406,7 +412,51 @@ const getOperators: GetOperatorsFunction = (
     return collection.watch(pipeline, options)
   },
   //TODO -> add filter & rules in aggregate
-  aggregate: (pipeline, options) => collection.aggregate(pipeline, options),
+  aggregate: async (pipeline = [], options) => {
+
+    if (run_as_system) {
+      return collection.aggregate(pipeline, options);
+    }
+    checkDenyOperation(rules, collection.collectionName, CRUD_OPERATIONS.READ)
+
+    const { filters = [], roles = [] } = rules[collection.collectionName] || {};
+    const formattedQuery = getFormattedQuery(filters, {}, user);
+    const projection = getFormattedProjection(filters);
+
+
+    const guardedPipeline = [
+      ...(formattedQuery.length ? [{ $match: { $and: formattedQuery } }] : []),
+      ...(projection ? [{ $project: projection }] : []),
+      ...applyAccessControlToPipeline(pipeline, rules, user)
+    ];
+
+    // const pipelineCollections = getCollectionsFromPipeline(pipeline)
+
+    // console.log(pipelineCollections)
+
+    // pipelineCollections.every((collection) => checkDenyOperation(rules, collection, CRUD_OPERATIONS.READ))
+
+    const originalCursor = collection.aggregate(guardedPipeline, options);
+    const newCursor = Object.create(originalCursor);
+
+    newCursor.toArray = async () => {
+      const results = await originalCursor.toArray();
+
+      const filtered = await Promise.all(
+        results.map(async (doc) => {
+          const role = getWinningRole(doc, user, roles);
+          const { status, document } = role
+            ? await checkValidation(role, { type: 'read', roles, cursor: doc, expansions: {} }, user)
+            : { status: !roles?.length, document: doc };
+          return status ? document : undefined;
+        })
+      );
+
+      return filtered.filter(Boolean);
+    };
+
+    return newCursor;
+  },
   /**
    * Inserts multiple documents into a MongoDB collection with optional role-based access control and validation.
    *
@@ -426,6 +476,7 @@ const getOperators: GetOperatorsFunction = (
    */
   insertMany: async (documents, options) => {
     if (!run_as_system) {
+      checkDenyOperation(rules, collection.collectionName, CRUD_OPERATIONS.CREATE)
       const { roles } = rules[collName] || {}
       // Validate each document against user's roles
       const filteredItems = await Promise.all(
@@ -462,6 +513,7 @@ const getOperators: GetOperatorsFunction = (
   },
   updateMany: async (query, data, options) => {
     if (!run_as_system) {
+      checkDenyOperation(rules, collection.collectionName, CRUD_OPERATIONS.UPDATE)
       const { filters, roles } = rules[collName] || {}
       // Apply access control filters
       const formattedQuery = getFormattedQuery(filters, query, user)
@@ -539,6 +591,7 @@ const getOperators: GetOperatorsFunction = (
    */
   deleteMany: async (query = {}) => {
     if (!run_as_system) {
+      checkDenyOperation(rules, collection.collectionName, CRUD_OPERATIONS.DELETE)
       const { filters, roles } = rules[collName] || {}
 
       // Apply access control filters
@@ -601,7 +654,9 @@ const MongodbAtlas: MongodbAtlasFunction = (
         const collection: Collection<Document> = app.mongo.client
           .db(dbName)
           .collection(collName)
-        return getOperators(collection, { rules, collName, user, run_as_system })
+        return getOperators(collection, {
+          rules, collName, user, run_as_system
+        })
       }
     }
   }

package/src/services/mongodb-atlas/model.ts

@@ -54,7 +54,7 @@ export type GetOperatorsFunction = (
   watch: (...params: Parameters<Method<'watch'>>) => ReturnType<Method<'watch'>>
   aggregate: (
     ...params: Parameters<Method<'aggregate'>>
-  ) => ReturnType<Method<'aggregate'>>
+  ) => Promise<ReturnType<Method<'aggregate'>>>
   insertMany: (
     ...params: Parameters<Method<'insertMany'>>
   ) => ReturnType<Method<'insertMany'>>
@@ -65,3 +65,12 @@ export type GetOperatorsFunction = (
     ...params: Parameters<Method<'deleteMany'>>
   ) => ReturnType<Method<'deleteMany'>>
 }
+
+
+export enum CRUD_OPERATIONS {
+  CREATE = "CREATE",
+  READ = "READ",
+  UPDATE = "UPDATE",
+  DELETE = "DELETE"
+
+}

package/src/services/mongodb-atlas/utils.ts

@@ -1,10 +1,10 @@
 import { Collection, Document } from 'mongodb'
 import { User } from '../../auth/dtos'
-import { Filter } from '../../features/rules/interface'
+import { AggregationPipeline, AggregationPipelineStage, Filter, LookupStage, Projection, Rules, STAGES_TO_SEARCH, UnionWithStage } from '../../features/rules/interface'
 import { Role } from '../../utils/roles/interface'
 import { expandQuery } from '../../utils/rules'
 import rulesMatcherUtils from '../../utils/rules-matcher/utils'
-import { GetValidRuleParams } from './model'
+import { CRUD_OPERATIONS, GetValidRuleParams } from './model'
 
 export const getValidRule = <T extends Role | Filter>({
   filters = [],
@@ -44,3 +44,130 @@ export const getFormattedQuery = (
     query
   ].filter(Boolean)
 }
+
+export const getFormattedProjection = (filters: Filter[] = [], user?: User): Projection | null => {
+  const projections = filters.filter((filter) => {
+    if (filter.projection) {
+      const preFilter = getValidRule({ filters, user })
+      const isValidPreFilter = !!preFilter?.length
+      return isValidPreFilter
+    }
+    return false
+  }).map(f => f.projection)
+  if (!projections.length) return null;
+  return Object.assign({}, ...projections);
+}
+
+
+export const applyAccessControlToPipeline = (
+  pipeline: AggregationPipeline,
+  rules: Record<string, {
+    filters?: Filter[];
+    roles?: Role[];
+  }>,
+  user: User
+): AggregationPipeline => {
+  return pipeline.map((stage) => {
+    const [stageName] = Object.keys(stage);
+    const value = stage[stageName as keyof typeof stage];
+
+    // CASE LOOKUP
+    if (stageName === STAGES_TO_SEARCH.LOOKUP) {
+      const lookUpStage = value as LookupStage
+      const currentCollection = lookUpStage.from
+      const lookupRules = rules[currentCollection] || {};
+      const formattedQuery = getFormattedQuery(lookupRules.filters, {}, user);
+      const projection = getFormattedProjection(lookupRules.filters);
+
+      return {
+        $lookup: {
+          ...lookUpStage,
+          pipeline: [
+            ...(formattedQuery.length ? [{ $match: { $and: formattedQuery } }] : []),
+            ...(projection ? [{ $project: projection }] : []),
+            ...applyAccessControlToPipeline(lookUpStage.pipeline || [], rules, user)
+          ]
+        }
+      };
+    }
+
+    // CASE LOOKUP
+    if (stageName === STAGES_TO_SEARCH.UNION_WITH) {
+      const unionWithStage = value as UnionWithStage
+      const isSimpleStage = typeof unionWithStage === "string"
+      const currentCollection = isSimpleStage ? unionWithStage : unionWithStage.coll;
+      const unionRules = rules[currentCollection] || {};
+      const formattedQuery = getFormattedQuery(unionRules.filters, {}, user);
+      const projection = getFormattedProjection(unionRules.filters);
+
+      const nestedPipeline = isSimpleStage ? [] : (unionWithStage.pipeline || [])
+
+      return {
+        $unionWith: {
+          coll: currentCollection,
+          pipeline: [
+            ...(formattedQuery.length ? [{ $match: { $and: formattedQuery } }] : []),
+            ...(projection ? [{ $project: projection }] : []),
+            ...applyAccessControlToPipeline((nestedPipeline), rules, user)
+          ]
+        }
+      };
+    }
+
+    // CASE FACET
+    if (stageName === STAGES_TO_SEARCH.FACET) {
+      const modifiedFacets = Object.fromEntries(
+        (Object.entries(value) as [string, AggregationPipelineStage[]][]).map(([facetKey, facetPipeline]) => {
+          return [
+            facetKey,
+            applyAccessControlToPipeline(facetPipeline, rules, user)
+          ];
+        })
+      );
+
+      return { $facet: modifiedFacets };
+    }
+
+    return stage;
+  });
+}
+
+export const checkDenyOperation = (rules: Rules, collectionName: string, operation: CRUD_OPERATIONS) => {
+  const collectionRules = rules[collectionName]
+  if (!collectionRules) {
+    throw new Error(`${operation} FORBIDDEN!`)
+  }
+}
+export const getCollectionsFromPipeline = (pipeline: Document[]) => {
+  return pipeline.reduce<string[]>((acc, stage) => {
+    const [stageKey] = Object.keys(stage);
+    const stageValue = stage[stageKey];
+    const subPipeline = stageValue?.pipeline;
+
+    if (stageKey === STAGES_TO_SEARCH.LOOKUP) {
+      acc.push(...[stageValue.from, ...acc]);
+      if (subPipeline) {
+        const collections = getCollectionsFromPipeline(subPipeline);
+        acc.push(...[stageValue.from, ...collections]);
+      }
+    }
+
+    if (stageKey === STAGES_TO_SEARCH.FACET) {
+      for (const sub of Object.values(stageValue) as Document[][]) {
+        const collections = getCollectionsFromPipeline(sub);
+        acc.push(...collections);
+      }
+    }
+
+    if (
+      stageKey === STAGES_TO_SEARCH.UNION_WITH &&
+      typeof stageValue === 'object' &&
+      subPipeline
+    ) {
+      const collections = getCollectionsFromPipeline(subPipeline);
+      acc.push(...[stageValue.coll, ...collections]);
+    }
+
+    return acc;
+  }, []);
+};

package/src/utils/rules.ts

@@ -12,9 +12,9 @@ export function expandQuery(
 
     const callback = (match: string, path: string) => {
       const value = get(objs, `%%${path}`) // Recupera il valore annidato da values
-      const finalValue =
-        typeof value === 'string' ? `"${value}"` : value && JSON.stringify(value)
-      return `:${value !== undefined ? finalValue : match}` // Sostituisci se esiste, altrimenti lascia il placeholder
+      const finalValue = typeof value === 'string' ? `"${value}"` : value && JSON.stringify(value)
+      // TODO tolto i primi : creava questo tipo di oggetto {"userId"::"%%user.id"}
+      return value !== undefined ? finalValue : match // Sostituisci se esiste, altrimenti lascia il placeholder
     }
 
     expandedQuery = expandedQuery.replace(