@flusys/nestjs-iam 0.1.0-beta.1 → 0.1.0-beta.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +665 -0
- package/cjs/config/iam.constants.js +11 -0
- package/cjs/config/index.js +18 -0
- package/cjs/controllers/action.controller.js +117 -0
- package/cjs/controllers/company-action-permission.controller.js +110 -0
- package/cjs/controllers/index.js +23 -0
- package/cjs/controllers/my-permission.controller.js +90 -0
- package/cjs/controllers/role-permission.controller.js +160 -0
- package/cjs/controllers/role.controller.js +58 -0
- package/cjs/controllers/user-action-permission.controller.js +110 -0
- package/cjs/docs/iam-swagger.config.js +202 -0
- package/cjs/docs/index.js +18 -0
- package/cjs/dtos/action.dto.js +347 -0
- package/cjs/dtos/index.js +21 -0
- package/cjs/dtos/permission.dto.js +554 -0
- package/cjs/dtos/role.dto.js +238 -0
- package/cjs/entities/action-base.entity.js +135 -0
- package/cjs/entities/action.entity.js +28 -0
- package/cjs/entities/index.js +81 -0
- package/cjs/entities/permission-base.entity.js +156 -0
- package/cjs/entities/permission-with-company.entity.js +99 -0
- package/cjs/entities/role-base.entity.js +86 -0
- package/cjs/entities/role-with-company.entity.js +55 -0
- package/cjs/entities/role.entity.js +25 -0
- package/cjs/entities/user-iam-permission.entity.js +57 -0
- package/cjs/enums/action-type.enum.js +22 -0
- package/cjs/enums/index.js +19 -0
- package/cjs/enums/permission-type.enum.js +16 -0
- package/cjs/helpers/index.js +19 -0
- package/cjs/helpers/permission-evaluator.helper.js +175 -0
- package/cjs/helpers/permission-mode.helper.js +49 -0
- package/cjs/index.js +28 -79
- package/cjs/interfaces/action.interface.js +4 -0
- package/cjs/interfaces/iam-module-async-options.interface.js +4 -0
- package/cjs/interfaces/iam-module-options.interface.js +18 -0
- package/cjs/interfaces/index.js +21 -0
- package/cjs/interfaces/role.interface.js +7 -0
- package/cjs/modules/iam.module.js +237 -0
- package/cjs/modules/index.js +18 -0
- package/cjs/services/action.service.js +253 -0
- package/cjs/services/iam-config.service.js +107 -0
- package/cjs/services/iam-datasource.provider.js +205 -0
- package/cjs/services/index.js +23 -0
- package/cjs/services/permission-cache.service.js +308 -0
- package/cjs/services/permission.service.js +1020 -0
- package/cjs/services/role.service.js +181 -0
- package/cjs/types/index.js +18 -0
- package/cjs/types/logic-node.type.js +54 -0
- package/fesm/config/iam.constants.js +1 -0
- package/fesm/config/index.js +1 -0
- package/fesm/controllers/action.controller.js +107 -0
- package/fesm/controllers/company-action-permission.controller.js +100 -0
- package/fesm/controllers/index.js +7 -0
- package/fesm/controllers/my-permission.controller.js +80 -0
- package/fesm/controllers/role-permission.controller.js +150 -0
- package/fesm/controllers/role.controller.js +48 -0
- package/fesm/controllers/user-action-permission.controller.js +100 -0
- package/fesm/docs/iam-swagger.config.js +192 -0
- package/fesm/docs/index.js +1 -0
- package/fesm/dtos/action.dto.js +317 -0
- package/fesm/dtos/index.js +4 -0
- package/fesm/dtos/permission.dto.js +490 -0
- package/fesm/dtos/role.dto.js +214 -0
- package/fesm/entities/action-base.entity.js +128 -0
- package/fesm/entities/action.entity.js +18 -0
- package/fesm/entities/index.js +56 -0
- package/fesm/entities/permission-base.entity.js +138 -0
- package/fesm/entities/permission-with-company.entity.js +89 -0
- package/fesm/entities/role-base.entity.js +79 -0
- package/fesm/entities/role-with-company.entity.js +45 -0
- package/fesm/entities/role.entity.js +15 -0
- package/fesm/entities/user-iam-permission.entity.js +38 -0
- package/fesm/enums/action-type.enum.js +12 -0
- package/fesm/enums/index.js +2 -0
- package/fesm/enums/permission-type.enum.js +6 -0
- package/fesm/helpers/index.js +2 -0
- package/fesm/helpers/permission-evaluator.helper.js +165 -0
- package/fesm/helpers/permission-mode.helper.js +49 -0
- package/fesm/index.js +11 -79
- package/fesm/interfaces/action.interface.js +3 -0
- package/fesm/interfaces/iam-module-async-options.interface.js +3 -0
- package/fesm/interfaces/iam-module-options.interface.js +1 -0
- package/fesm/interfaces/index.js +4 -0
- package/fesm/interfaces/role.interface.js +4 -0
- package/fesm/modules/iam.module.js +227 -0
- package/fesm/modules/index.js +1 -0
- package/fesm/services/action.service.js +243 -0
- package/fesm/services/iam-config.service.js +97 -0
- package/fesm/services/iam-datasource.provider.js +154 -0
- package/fesm/services/index.js +6 -0
- package/fesm/services/permission-cache.service.js +298 -0
- package/fesm/services/permission.service.js +1010 -0
- package/fesm/services/role.service.js +171 -0
- package/fesm/types/index.js +1 -0
- package/fesm/types/logic-node.type.js +36 -0
- package/package.json +25 -25
- package/cjs/config-index.js +0 -1
- package/cjs/controllers-index.js +0 -1
- package/cjs/docs-index.js +0 -79
- package/cjs/dtos-index.js +0 -1
- package/cjs/entities-index.js +0 -1
- package/cjs/enums-index.js +0 -1
- package/cjs/helpers-index.js +0 -1
- package/cjs/interfaces-index.js +0 -1
- package/cjs/modules-index.js +0 -1
- package/cjs/services-index.js +0 -1
- package/cjs/types-index.js +0 -1
- package/fesm/config-index.js +0 -1
- package/fesm/controllers-index.js +0 -1
- package/fesm/docs-index.js +0 -79
- package/fesm/dtos-index.js +0 -1
- package/fesm/entities-index.js +0 -1
- package/fesm/enums-index.js +0 -1
- package/fesm/helpers-index.js +0 -1
- package/fesm/interfaces-index.js +0 -0
- package/fesm/modules-index.js +0 -1
- package/fesm/services-index.js +0 -1
- package/fesm/types-index.js +0 -1
|
@@ -0,0 +1,150 @@
|
|
|
1
|
+
function _define_property(obj, key, value) {
|
|
2
|
+
if (key in obj) {
|
|
3
|
+
Object.defineProperty(obj, key, {
|
|
4
|
+
value: value,
|
|
5
|
+
enumerable: true,
|
|
6
|
+
configurable: true,
|
|
7
|
+
writable: true
|
|
8
|
+
});
|
|
9
|
+
} else {
|
|
10
|
+
obj[key] = value;
|
|
11
|
+
}
|
|
12
|
+
return obj;
|
|
13
|
+
}
|
|
14
|
+
function _ts_decorate(decorators, target, key, desc) {
|
|
15
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
16
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
17
|
+
else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
18
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
19
|
+
}
|
|
20
|
+
function _ts_metadata(k, v) {
|
|
21
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
22
|
+
}
|
|
23
|
+
function _ts_param(paramIndex, decorator) {
|
|
24
|
+
return function(target, key) {
|
|
25
|
+
decorator(target, key, paramIndex);
|
|
26
|
+
};
|
|
27
|
+
}
|
|
28
|
+
import { JwtAuthGuard, SingleResponseDto } from '@flusys/nestjs-shared';
|
|
29
|
+
import { Body, Controller, Get, Inject, Param, Post, Query, UseGuards } from '@nestjs/common';
|
|
30
|
+
import { ApiBearerAuth, ApiBody, ApiOperation, ApiResponse, ApiTags } from '@nestjs/swagger';
|
|
31
|
+
import { AssignRoleActionsDto, AssignUserRolesDto, GetRoleActionsDto, GetUserRolesDto, PermissionOperationResultDto } from '../dtos/permission.dto';
|
|
32
|
+
import { PermissionService } from '../services/permission.service';
|
|
33
|
+
export class RolePermissionController {
|
|
34
|
+
async assignRoleActions(dto) {
|
|
35
|
+
return this.permissionService.assignRoleActions(dto);
|
|
36
|
+
}
|
|
37
|
+
async getRoleActions(roleId, query) {
|
|
38
|
+
const actions = await this.permissionService.getRoleActions(roleId);
|
|
39
|
+
return {
|
|
40
|
+
success: true,
|
|
41
|
+
message: 'Role actions retrieved successfully',
|
|
42
|
+
data: actions
|
|
43
|
+
};
|
|
44
|
+
}
|
|
45
|
+
async assignUserRoles(dto) {
|
|
46
|
+
return this.permissionService.assignUserRoles(dto);
|
|
47
|
+
}
|
|
48
|
+
async getUserRoles(userId, query) {
|
|
49
|
+
const roles = await this.permissionService.getUserRoles(userId, query.branchId, query.companyId);
|
|
50
|
+
return {
|
|
51
|
+
success: true,
|
|
52
|
+
message: 'User roles retrieved successfully',
|
|
53
|
+
data: roles
|
|
54
|
+
};
|
|
55
|
+
}
|
|
56
|
+
// NOTE: @Inject() required for bundled code - type metadata may be lost during esbuild
|
|
57
|
+
constructor(permissionService){
|
|
58
|
+
_define_property(this, "permissionService", void 0);
|
|
59
|
+
this.permissionService = permissionService;
|
|
60
|
+
}
|
|
61
|
+
}
|
|
62
|
+
_ts_decorate([
|
|
63
|
+
Post('role-actions/assign'),
|
|
64
|
+
ApiOperation({
|
|
65
|
+
summary: 'Assign/remove actions to/from role',
|
|
66
|
+
description: 'RBAC mode. No branch scoping.'
|
|
67
|
+
}),
|
|
68
|
+
ApiResponse({
|
|
69
|
+
status: 200,
|
|
70
|
+
type: PermissionOperationResultDto
|
|
71
|
+
}),
|
|
72
|
+
ApiBody({
|
|
73
|
+
type: AssignRoleActionsDto
|
|
74
|
+
}),
|
|
75
|
+
_ts_param(0, Body()),
|
|
76
|
+
_ts_metadata("design:type", Function),
|
|
77
|
+
_ts_metadata("design:paramtypes", [
|
|
78
|
+
typeof AssignRoleActionsDto === "undefined" ? Object : AssignRoleActionsDto
|
|
79
|
+
]),
|
|
80
|
+
_ts_metadata("design:returntype", Promise)
|
|
81
|
+
], RolePermissionController.prototype, "assignRoleActions", null);
|
|
82
|
+
_ts_decorate([
|
|
83
|
+
Get('role-actions/:roleId'),
|
|
84
|
+
ApiOperation({
|
|
85
|
+
summary: 'Get role actions',
|
|
86
|
+
description: 'Returns actions assigned to role.'
|
|
87
|
+
}),
|
|
88
|
+
ApiResponse({
|
|
89
|
+
status: 200,
|
|
90
|
+
type: SingleResponseDto
|
|
91
|
+
}),
|
|
92
|
+
_ts_param(0, Param('roleId')),
|
|
93
|
+
_ts_param(1, Query()),
|
|
94
|
+
_ts_metadata("design:type", Function),
|
|
95
|
+
_ts_metadata("design:paramtypes", [
|
|
96
|
+
String,
|
|
97
|
+
typeof GetRoleActionsDto === "undefined" ? Object : GetRoleActionsDto
|
|
98
|
+
]),
|
|
99
|
+
_ts_metadata("design:returntype", Promise)
|
|
100
|
+
], RolePermissionController.prototype, "getRoleActions", null);
|
|
101
|
+
_ts_decorate([
|
|
102
|
+
Post('user-roles/assign'),
|
|
103
|
+
ApiOperation({
|
|
104
|
+
summary: 'Assign/remove roles to/from user',
|
|
105
|
+
description: 'RBAC mode. If company feature enabled, branchId is required.'
|
|
106
|
+
}),
|
|
107
|
+
ApiResponse({
|
|
108
|
+
status: 200,
|
|
109
|
+
type: PermissionOperationResultDto
|
|
110
|
+
}),
|
|
111
|
+
ApiBody({
|
|
112
|
+
type: AssignUserRolesDto
|
|
113
|
+
}),
|
|
114
|
+
_ts_param(0, Body()),
|
|
115
|
+
_ts_metadata("design:type", Function),
|
|
116
|
+
_ts_metadata("design:paramtypes", [
|
|
117
|
+
typeof AssignUserRolesDto === "undefined" ? Object : AssignUserRolesDto
|
|
118
|
+
]),
|
|
119
|
+
_ts_metadata("design:returntype", Promise)
|
|
120
|
+
], RolePermissionController.prototype, "assignUserRoles", null);
|
|
121
|
+
_ts_decorate([
|
|
122
|
+
Get('user-roles/:userId'),
|
|
123
|
+
ApiOperation({
|
|
124
|
+
summary: 'Get user roles',
|
|
125
|
+
description: 'Returns roles assigned to user. Filter by companyId and branchId.'
|
|
126
|
+
}),
|
|
127
|
+
ApiResponse({
|
|
128
|
+
status: 200,
|
|
129
|
+
type: SingleResponseDto
|
|
130
|
+
}),
|
|
131
|
+
_ts_param(0, Param('userId')),
|
|
132
|
+
_ts_param(1, Query()),
|
|
133
|
+
_ts_metadata("design:type", Function),
|
|
134
|
+
_ts_metadata("design:paramtypes", [
|
|
135
|
+
String,
|
|
136
|
+
typeof GetUserRolesDto === "undefined" ? Object : GetUserRolesDto
|
|
137
|
+
]),
|
|
138
|
+
_ts_metadata("design:returntype", Promise)
|
|
139
|
+
], RolePermissionController.prototype, "getUserRoles", null);
|
|
140
|
+
RolePermissionController = _ts_decorate([
|
|
141
|
+
ApiTags('IAM - Role Permissions'),
|
|
142
|
+
Controller('iam/permissions'),
|
|
143
|
+
UseGuards(JwtAuthGuard),
|
|
144
|
+
ApiBearerAuth(),
|
|
145
|
+
_ts_param(0, Inject(PermissionService)),
|
|
146
|
+
_ts_metadata("design:type", Function),
|
|
147
|
+
_ts_metadata("design:paramtypes", [
|
|
148
|
+
typeof PermissionService === "undefined" ? Object : PermissionService
|
|
149
|
+
])
|
|
150
|
+
], RolePermissionController);
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
function _define_property(obj, key, value) {
|
|
2
|
+
if (key in obj) {
|
|
3
|
+
Object.defineProperty(obj, key, {
|
|
4
|
+
value: value,
|
|
5
|
+
enumerable: true,
|
|
6
|
+
configurable: true,
|
|
7
|
+
writable: true
|
|
8
|
+
});
|
|
9
|
+
} else {
|
|
10
|
+
obj[key] = value;
|
|
11
|
+
}
|
|
12
|
+
return obj;
|
|
13
|
+
}
|
|
14
|
+
function _ts_decorate(decorators, target, key, desc) {
|
|
15
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
16
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
17
|
+
else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
18
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
19
|
+
}
|
|
20
|
+
function _ts_metadata(k, v) {
|
|
21
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
22
|
+
}
|
|
23
|
+
function _ts_param(paramIndex, decorator) {
|
|
24
|
+
return function(target, key) {
|
|
25
|
+
decorator(target, key, paramIndex);
|
|
26
|
+
};
|
|
27
|
+
}
|
|
28
|
+
import { createApiController } from '@flusys/nestjs-shared/classes';
|
|
29
|
+
import { Controller, Inject } from '@nestjs/common';
|
|
30
|
+
import { ApiTags } from '@nestjs/swagger';
|
|
31
|
+
import { CreateRoleDto, RoleResponseDto, UpdateRoleDto } from '../dtos/role.dto';
|
|
32
|
+
import { RoleService } from '../services/role.service';
|
|
33
|
+
export class RoleController extends createApiController(CreateRoleDto, UpdateRoleDto, RoleResponseDto, {
|
|
34
|
+
security: 'jwt'
|
|
35
|
+
}) {
|
|
36
|
+
constructor(roleService){
|
|
37
|
+
super(roleService), _define_property(this, "roleService", void 0), this.roleService = roleService;
|
|
38
|
+
}
|
|
39
|
+
}
|
|
40
|
+
RoleController = _ts_decorate([
|
|
41
|
+
ApiTags('IAM - Roles'),
|
|
42
|
+
Controller('iam/roles'),
|
|
43
|
+
_ts_param(0, Inject(RoleService)),
|
|
44
|
+
_ts_metadata("design:type", Function),
|
|
45
|
+
_ts_metadata("design:paramtypes", [
|
|
46
|
+
typeof RoleService === "undefined" ? Object : RoleService
|
|
47
|
+
])
|
|
48
|
+
], RoleController);
|
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
function _define_property(obj, key, value) {
|
|
2
|
+
if (key in obj) {
|
|
3
|
+
Object.defineProperty(obj, key, {
|
|
4
|
+
value: value,
|
|
5
|
+
enumerable: true,
|
|
6
|
+
configurable: true,
|
|
7
|
+
writable: true
|
|
8
|
+
});
|
|
9
|
+
} else {
|
|
10
|
+
obj[key] = value;
|
|
11
|
+
}
|
|
12
|
+
return obj;
|
|
13
|
+
}
|
|
14
|
+
function _ts_decorate(decorators, target, key, desc) {
|
|
15
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
16
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
17
|
+
else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
18
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
19
|
+
}
|
|
20
|
+
function _ts_metadata(k, v) {
|
|
21
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
22
|
+
}
|
|
23
|
+
function _ts_param(paramIndex, decorator) {
|
|
24
|
+
return function(target, key) {
|
|
25
|
+
decorator(target, key, paramIndex);
|
|
26
|
+
};
|
|
27
|
+
}
|
|
28
|
+
import { JwtAuthGuard, SingleResponseDto } from '@flusys/nestjs-shared';
|
|
29
|
+
import { Body, Controller, Get, Inject, Param, Post, Query, UseGuards } from '@nestjs/common';
|
|
30
|
+
import { ApiBearerAuth, ApiBody, ApiOperation, ApiResponse, ApiTags } from '@nestjs/swagger';
|
|
31
|
+
import { AssignUserActionsDto, GetUserActionsDto, PermissionOperationResultDto } from '../dtos/permission.dto';
|
|
32
|
+
import { PermissionService } from '../services/permission.service';
|
|
33
|
+
export class UserActionPermissionController {
|
|
34
|
+
async assignUserActions(dto) {
|
|
35
|
+
return this.permissionService.assignUserActions(dto);
|
|
36
|
+
}
|
|
37
|
+
async getUserActions(userId, query) {
|
|
38
|
+
const actions = await this.permissionService.getUserActions(userId, query.branchId, query.companyId);
|
|
39
|
+
return {
|
|
40
|
+
success: true,
|
|
41
|
+
message: 'User actions retrieved successfully',
|
|
42
|
+
data: actions
|
|
43
|
+
};
|
|
44
|
+
}
|
|
45
|
+
// NOTE: @Inject() required for bundled code - type metadata may be lost during esbuild
|
|
46
|
+
constructor(permissionService){
|
|
47
|
+
_define_property(this, "permissionService", void 0);
|
|
48
|
+
this.permissionService = permissionService;
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
_ts_decorate([
|
|
52
|
+
Post('user-actions/assign'),
|
|
53
|
+
ApiOperation({
|
|
54
|
+
summary: 'Assign/remove actions to/from user',
|
|
55
|
+
description: 'Direct permissions. If company feature enabled, branchId is required.'
|
|
56
|
+
}),
|
|
57
|
+
ApiResponse({
|
|
58
|
+
status: 200,
|
|
59
|
+
type: PermissionOperationResultDto
|
|
60
|
+
}),
|
|
61
|
+
ApiBody({
|
|
62
|
+
type: AssignUserActionsDto
|
|
63
|
+
}),
|
|
64
|
+
_ts_param(0, Body()),
|
|
65
|
+
_ts_metadata("design:type", Function),
|
|
66
|
+
_ts_metadata("design:paramtypes", [
|
|
67
|
+
typeof AssignUserActionsDto === "undefined" ? Object : AssignUserActionsDto
|
|
68
|
+
]),
|
|
69
|
+
_ts_metadata("design:returntype", Promise)
|
|
70
|
+
], UserActionPermissionController.prototype, "assignUserActions", null);
|
|
71
|
+
_ts_decorate([
|
|
72
|
+
Get('user-actions/:userId'),
|
|
73
|
+
ApiOperation({
|
|
74
|
+
summary: 'Get user direct actions',
|
|
75
|
+
description: 'Returns direct action permissions for user. Filter by companyId and branchId.'
|
|
76
|
+
}),
|
|
77
|
+
ApiResponse({
|
|
78
|
+
status: 200,
|
|
79
|
+
type: SingleResponseDto
|
|
80
|
+
}),
|
|
81
|
+
_ts_param(0, Param('userId')),
|
|
82
|
+
_ts_param(1, Query()),
|
|
83
|
+
_ts_metadata("design:type", Function),
|
|
84
|
+
_ts_metadata("design:paramtypes", [
|
|
85
|
+
String,
|
|
86
|
+
typeof GetUserActionsDto === "undefined" ? Object : GetUserActionsDto
|
|
87
|
+
]),
|
|
88
|
+
_ts_metadata("design:returntype", Promise)
|
|
89
|
+
], UserActionPermissionController.prototype, "getUserActions", null);
|
|
90
|
+
UserActionPermissionController = _ts_decorate([
|
|
91
|
+
ApiTags('IAM - User Action Permissions'),
|
|
92
|
+
Controller('iam/permissions'),
|
|
93
|
+
UseGuards(JwtAuthGuard),
|
|
94
|
+
ApiBearerAuth(),
|
|
95
|
+
_ts_param(0, Inject(PermissionService)),
|
|
96
|
+
_ts_metadata("design:type", Function),
|
|
97
|
+
_ts_metadata("design:paramtypes", [
|
|
98
|
+
typeof PermissionService === "undefined" ? Object : PermissionService
|
|
99
|
+
])
|
|
100
|
+
], UserActionPermissionController);
|
|
@@ -0,0 +1,192 @@
|
|
|
1
|
+
import { IAMPermissionMode } from '../enums/permission-type.enum';
|
|
2
|
+
/** Auth-related tags that should always be excluded from IAM API docs */ const AUTH_RELATED_TAGS = [
|
|
3
|
+
'Authentication',
|
|
4
|
+
'Users',
|
|
5
|
+
'Companies',
|
|
6
|
+
'Branches',
|
|
7
|
+
'User Permissions',
|
|
8
|
+
'Company Selection'
|
|
9
|
+
];
|
|
10
|
+
export function iamSwaggerConfig(enableCompanyFeature = false, permissionMode = IAMPermissionMode.FULL) {
|
|
11
|
+
const excludeSchemaProperties = enableCompanyFeature ? [] : [
|
|
12
|
+
// DTOs with companyId and branchId
|
|
13
|
+
{
|
|
14
|
+
schemaName: 'AssignUserActionsDto',
|
|
15
|
+
properties: [
|
|
16
|
+
'companyId',
|
|
17
|
+
'branchId'
|
|
18
|
+
]
|
|
19
|
+
},
|
|
20
|
+
{
|
|
21
|
+
schemaName: 'AssignUserRolesDto',
|
|
22
|
+
properties: [
|
|
23
|
+
'companyId',
|
|
24
|
+
'branchId'
|
|
25
|
+
]
|
|
26
|
+
},
|
|
27
|
+
{
|
|
28
|
+
schemaName: 'GetUserActionsDto',
|
|
29
|
+
properties: [
|
|
30
|
+
'companyId',
|
|
31
|
+
'branchId'
|
|
32
|
+
]
|
|
33
|
+
},
|
|
34
|
+
{
|
|
35
|
+
schemaName: 'GetUserRolesDto',
|
|
36
|
+
properties: [
|
|
37
|
+
'companyId',
|
|
38
|
+
'branchId'
|
|
39
|
+
]
|
|
40
|
+
},
|
|
41
|
+
// Response DTOs with branchId
|
|
42
|
+
{
|
|
43
|
+
schemaName: 'UserActionResponseDto',
|
|
44
|
+
properties: [
|
|
45
|
+
'branchId'
|
|
46
|
+
]
|
|
47
|
+
},
|
|
48
|
+
{
|
|
49
|
+
schemaName: 'UserRoleResponseDto',
|
|
50
|
+
properties: [
|
|
51
|
+
'branchId'
|
|
52
|
+
]
|
|
53
|
+
},
|
|
54
|
+
// Company-related DTOs (entire schemas hidden via tag exclusion, but just in case)
|
|
55
|
+
{
|
|
56
|
+
schemaName: 'AssignCompanyActionsDto',
|
|
57
|
+
properties: [
|
|
58
|
+
'companyId'
|
|
59
|
+
]
|
|
60
|
+
},
|
|
61
|
+
{
|
|
62
|
+
schemaName: 'CompanyActionResponseDto',
|
|
63
|
+
properties: [
|
|
64
|
+
'companyId'
|
|
65
|
+
]
|
|
66
|
+
}
|
|
67
|
+
];
|
|
68
|
+
// Hide query parameters for GET endpoints when company feature is disabled
|
|
69
|
+
const excludeQueryParameters = enableCompanyFeature ? [] : [
|
|
70
|
+
{
|
|
71
|
+
pathPattern: '/iam/permissions/user-actions/*',
|
|
72
|
+
method: 'get',
|
|
73
|
+
parameters: [
|
|
74
|
+
'companyId',
|
|
75
|
+
'branchId'
|
|
76
|
+
]
|
|
77
|
+
},
|
|
78
|
+
{
|
|
79
|
+
pathPattern: '/iam/permissions/user-roles/*',
|
|
80
|
+
method: 'get',
|
|
81
|
+
parameters: [
|
|
82
|
+
'companyId',
|
|
83
|
+
'branchId'
|
|
84
|
+
]
|
|
85
|
+
}
|
|
86
|
+
];
|
|
87
|
+
// Build exclude tags list: always exclude Auth tags + conditionally exclude based on permission mode
|
|
88
|
+
const excludeTags = [
|
|
89
|
+
...AUTH_RELATED_TAGS
|
|
90
|
+
];
|
|
91
|
+
// Hide company-related IAM endpoints when company feature is disabled
|
|
92
|
+
if (!enableCompanyFeature) {
|
|
93
|
+
excludeTags.push('IAM - Company Action Permissions');
|
|
94
|
+
}
|
|
95
|
+
// Conditionally exclude endpoints based on permission mode
|
|
96
|
+
if (permissionMode === IAMPermissionMode.RBAC) {
|
|
97
|
+
// RBAC only - hide direct user action endpoints
|
|
98
|
+
excludeTags.push('IAM - Permissions (Direct)');
|
|
99
|
+
} else if (permissionMode === IAMPermissionMode.DIRECT) {
|
|
100
|
+
// Direct only - hide RBAC endpoints
|
|
101
|
+
excludeTags.push('IAM - Permissions (RBAC)');
|
|
102
|
+
excludeTags.push('IAM - Roles'); // Roles are only used in RBAC
|
|
103
|
+
}
|
|
104
|
+
return {
|
|
105
|
+
title: 'IAM API',
|
|
106
|
+
description: `
|
|
107
|
+
## Identity & Access Management API
|
|
108
|
+
|
|
109
|
+
Advanced permission system with flexible modes: RBAC, Direct Permissions, or both.
|
|
110
|
+
|
|
111
|
+
### Current Configuration
|
|
112
|
+
- **Permission Mode**: ${permissionMode === IAMPermissionMode.RBAC ? '**RBAC** (Role-Based Access Control)' : permissionMode === IAMPermissionMode.DIRECT ? '**DIRECT** (Direct User Permissions)' : '**FULL** (RBAC + Direct)'}${enableCompanyFeature ? '\n- **Company Feature**: Enabled (Multi-tenant with company/branch scoping)' : '\n- **Company Feature**: Disabled'}
|
|
113
|
+
|
|
114
|
+
### Features Based on Mode
|
|
115
|
+
|
|
116
|
+
${permissionMode === IAMPermissionMode.RBAC || permissionMode === IAMPermissionMode.FULL ? `#### RBAC Features (Active)
|
|
117
|
+
- **Roles**: Create company-scoped roles${enableCompanyFeature ? ' (auto-filtered by user company)' : ''}
|
|
118
|
+
- **Role-Actions**: Assign actions to roles
|
|
119
|
+
- **User-Roles**: Assign roles to users${enableCompanyFeature ? ' at branch level' : ''}
|
|
120
|
+
` : ''}${permissionMode === IAMPermissionMode.DIRECT || permissionMode === IAMPermissionMode.FULL ? `#### Direct Permission Features (Active)
|
|
121
|
+
- **User-Actions**: Direct action assignment to users${enableCompanyFeature ? ' at branch level' : ''}
|
|
122
|
+
` : ''}${enableCompanyFeature ? `#### Company Features (Active)
|
|
123
|
+
- **Company-Action Whitelist**: Control which actions are available per company
|
|
124
|
+
- **Branch-Based Scoping**: Permissions scoped to specific branches
|
|
125
|
+
- **Auto-Filtering**: Roles automatically filtered by user's company
|
|
126
|
+
- **Action Tree Filtering**: Available actions filtered by company whitelist
|
|
127
|
+
` : ''}
|
|
128
|
+
### Core Concepts
|
|
129
|
+
|
|
130
|
+
#### Actions
|
|
131
|
+
Represent permissions in the system. Can be hierarchical.
|
|
132
|
+
|
|
133
|
+
**Action Types:**
|
|
134
|
+
- \`menu\` - Menu visibility (actions with type='menu' are used as menus)
|
|
135
|
+
- \`endpoint\` - API endpoint access
|
|
136
|
+
- \`frontend\` - Frontend feature toggles
|
|
137
|
+
${permissionMode === IAMPermissionMode.RBAC || permissionMode === IAMPermissionMode.FULL ? `
|
|
138
|
+
#### Roles
|
|
139
|
+
Collections of actions that can be assigned to users.${enableCompanyFeature ? ' Scoped to companies.' : ' Global across the system.'}
|
|
140
|
+
` : ''}${enableCompanyFeature ? `
|
|
141
|
+
#### Company-Action Whitelist
|
|
142
|
+
Controls which actions are available to a company. Users/roles can only use whitelisted actions.
|
|
143
|
+
|
|
144
|
+
**Flow:**
|
|
145
|
+
1. Admin assigns actions to company (whitelist)
|
|
146
|
+
2. Only whitelisted actions appear in permission assignment UIs
|
|
147
|
+
3. Users/roles cannot be assigned non-whitelisted actions
|
|
148
|
+
` : ''}
|
|
149
|
+
### Permission Resolution
|
|
150
|
+
|
|
151
|
+
${permissionMode === IAMPermissionMode.FULL ? `1. **Company-Action Whitelist** - Filter by company (if enabled)
|
|
152
|
+
2. **UserAction (DENY)** - Explicit denials take precedence
|
|
153
|
+
3. **UserAction (GRANT)** - Direct user grants
|
|
154
|
+
4. **UserRole → RoleAction** - Inherited from assigned roles
|
|
155
|
+
5. **Action Permission Logic** - Complex AND/OR rules` : permissionMode === IAMPermissionMode.RBAC ? `1. **Company-Action Whitelist** - Filter by company (if enabled)
|
|
156
|
+
2. **UserRole → RoleAction** - Actions inherited from roles
|
|
157
|
+
3. **Action Permission Logic** - Complex AND/OR rules` : `1. **Company-Action Whitelist** - Filter by company (if enabled)
|
|
158
|
+
2. **UserAction (DENY)** - Explicit denials take precedence
|
|
159
|
+
3. **UserAction (GRANT)** - Direct user grants
|
|
160
|
+
4. **Action Permission Logic** - Complex AND/OR rules`}
|
|
161
|
+
|
|
162
|
+
### API Endpoints Summary
|
|
163
|
+
|
|
164
|
+
#### Available Endpoints
|
|
165
|
+
- ✅ **Actions**: CRUD operations, tree view${enableCompanyFeature ? ', filtered tree for permissions' : ''}${permissionMode === IAMPermissionMode.RBAC || permissionMode === IAMPermissionMode.FULL ? `
|
|
166
|
+
- ✅ **Roles**: CRUD operations${enableCompanyFeature ? ' (auto-filtered by company)' : ''}
|
|
167
|
+
- ✅ **Role-Actions**: Assign actions to roles, get role actions
|
|
168
|
+
- ✅ **User-Roles**: Assign roles to users, get user roles` : `
|
|
169
|
+
- ❌ **Roles**: Disabled (RBAC mode not active)`}${permissionMode === IAMPermissionMode.DIRECT || permissionMode === IAMPermissionMode.FULL ? `
|
|
170
|
+
- ✅ **User-Actions**: Direct action assignment to users` : `
|
|
171
|
+
- ❌ **User-Actions**: Disabled (DIRECT mode not active)`}${enableCompanyFeature ? `
|
|
172
|
+
- ✅ **Company-Actions**: Whitelist actions for companies` : `
|
|
173
|
+
- ❌ **Company-Actions**: Disabled (company feature not enabled)`}
|
|
174
|
+
- ✅ **My Permissions**: Get current user's complete permissions (includes menu-type actions)
|
|
175
|
+
|
|
176
|
+
### Best Practices
|
|
177
|
+
|
|
178
|
+
1. **Action Codes**: Use meaningful codes like \`user.create\`, \`order.view\`
|
|
179
|
+
2. **Hierarchical Actions**: Group related actions (use parentId for hierarchy)${permissionMode === IAMPermissionMode.RBAC || permissionMode === IAMPermissionMode.FULL ? `
|
|
180
|
+
3. **Role Design**: Create roles for common permission patterns` : ''}${permissionMode === IAMPermissionMode.DIRECT || permissionMode === IAMPermissionMode.FULL ? `
|
|
181
|
+
${permissionMode === IAMPermissionMode.FULL ? '4' : '3'}. **Direct Actions**: Use sparingly for exceptions` : ''}${enableCompanyFeature ? `
|
|
182
|
+
${permissionMode === IAMPermissionMode.FULL ? '5' : '4'}. **Company Whitelisting**: Set up action whitelist before assigning permissions
|
|
183
|
+
${permissionMode === IAMPermissionMode.FULL ? '6' : '5'}. **Branch Scoping**: Use branches for location-based access control` : ''}
|
|
184
|
+
`,
|
|
185
|
+
version: '1.0',
|
|
186
|
+
path: 'api/docs/iam',
|
|
187
|
+
bearerAuth: true,
|
|
188
|
+
excludeSchemaProperties,
|
|
189
|
+
excludeTags,
|
|
190
|
+
excludeQueryParameters
|
|
191
|
+
};
|
|
192
|
+
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export * from './iam-swagger.config';
|