@geolonia/geonicdb-cli 0.6.3 → 0.7.0

package/README.md

@@ -213,12 +213,16 @@ Displays the current authenticated user, token expiry, and active profile.
 | `--entity-types <types>` | Allowed entity types (comma-separated) |
 | `--rate-limit <n>` | Rate limit (requests per minute) |
 | `--dpop-required` | Require DPoP token binding (RFC 9449) |
+| `--permissions <perms>` | Permissions for auto-generated XACML policy (comma-separated) |
 | `--save` | Save the API key to profile config |
 
 ```bash
 # Create an API key and save to config
 geonic me api-keys create --name my-app --scopes read:entities --save
 
+# Create with permissions (auto-generates XACML policy)
+geonic me api-keys create --name my-app --permissions read,write --save
+
 # Create from JSON
 geonic me api-keys create '{"name":"my-app","allowedScopes":["read:entities"]}'
 ```
@@ -392,6 +396,16 @@ Temporal entityOperations query supports: `--aggr-methods`, `--aggr-period`.
 | `admin policies activate <id>` | Activate a policy |
 | `admin policies deactivate <id>` | Deactivate a policy |
 
+**XACML Authorization Model**: All authorization is unified under XACML policies. Default role policies (priority 0):
+
+| Role | Default Behavior |
+|---|---|
+| `user` | GET only (read-only) |
+| `api_key` | All Deny |
+| `anonymous` | All Deny |
+
+Custom policies with higher priority (e.g. 100) override defaults. Target resource attributes include: `path`, `entityType`, `entityId`, `entityOwner`, `tenantService`, `servicePath`. The `servicePath` attribute supports glob patterns (e.g. `/opendata/**`) and regex matching.
+
 #### admin oauth-clients
 
 | Subcommand | Description |
@@ -412,7 +426,9 @@ Temporal entityOperations query supports: `--aggr-methods`, `--aggr-period`.
 | `admin api-keys update <keyId> [json]` | Update an API key |
 | `admin api-keys delete <keyId>` | Delete an API key |
 
-`admin api-keys list` supports `--tenant-id` to filter by tenant. `admin api-keys create` supports flag options: `--name`, `--scopes`, `--origins`, `--entity-types`, `--rate-limit`, `--dpop-required`, `--tenant-id`, `--save`. `admin api-keys update` supports `--name`, `--scopes`, `--origins`, `--entity-types`, `--rate-limit`, `--dpop-required` / `--no-dpop-required`.
+`admin api-keys list` supports `--tenant-id` to filter by tenant. `admin api-keys create` supports flag options: `--name`, `--scopes`, `--origins`, `--entity-types`, `--rate-limit`, `--dpop-required`, `--permissions`, `--tenant-id`, `--save`. `admin api-keys update` supports `--name`, `--scopes`, `--origins`, `--entity-types`, `--rate-limit`, `--dpop-required` / `--no-dpop-required`, `--permissions`.
+
+**Permissions**: The `--permissions` flag accepts a comma-separated list of `read`, `write`, `create`, `update`, `delete`. `write` is an alias for `create` + `update` + `delete`. When specified, XACML policies are auto-generated for the API key (respects `allowedEntityTypes`).
 
 **Note**: `allowedOrigins` must contain at least 1 item when specified. Use `*` to allow all origins. `allowedEntityTypes` is enforced at runtime — API key holders can only access entities of the specified types. `admin api-keys list` / `admin api-keys get` output includes a `dpopRequired` field (boolean).
 
@@ -560,13 +576,13 @@ geonic entities list --api-key gdb_your_api_key_here
 GDB_API_KEY=gdb_your_api_key_here geonic entities list
 ```
 
-When both a Bearer token and an API key are configured, both headers are sent (the server determines precedence).
+When both a Bearer token and an API key are configured, headers are sent exclusively — the API key takes precedence when present.
 
 ### Valid Scopes
 
 `read:entities`, `write:entities`, `read:subscriptions`, `write:subscriptions`, `read:registrations`, `write:registrations`, `read:rules`, `write:rules`, `read:custom-data-models`, `write:custom-data-models`, `admin:users`, `admin:tenants`, `admin:policies`, `admin:oauth-clients`, `admin:api-keys`, `admin:metrics`
 
-`write:X` implies `read:X`. `admin:X` implies both `read:X` and `write:X`.
+`admin:X` implies both `read:X` and `write:X`. `write:X` does **not** imply `read:X` — specify both explicitly if needed.
 
 Special scopes: `permanent` (no token expiry), `jwt` (JWT format token).
 

package/dist/index.js

@@ -945,8 +945,23 @@ var SCOPES_HELP_NOTES = [
   "  admin:users, admin:tenants, admin:policies, admin:oauth-clients,",
   "  admin:api-keys, admin:metrics",
   "",
-  "write:X implies read:X. admin:X implies both read:X and write:X."
+  "admin:X implies both read:X and write:X.",
+  "write:X does NOT imply read:X \u2014 specify both if needed."
 ];
+var API_KEY_SCOPES_HELP_NOTES = [
+  "Valid scopes:",
+  "  read:entities, write:entities, read:subscriptions, write:subscriptions,",
+  "  read:registrations, write:registrations"
+];
+var VALID_PERMISSIONS = /* @__PURE__ */ new Set(["read", "write", "create", "update", "delete"]);
+function parsePermissions(raw) {
+  const permissions = raw.split(",").map((s) => s.trim()).filter(Boolean);
+  if (permissions.length === 0 || permissions.some((p) => !VALID_PERMISSIONS.has(p))) {
+    printError("--permissions must be a comma-separated list of: read, write, create, update, delete");
+    process.exit(1);
+  }
+  return permissions;
+}
 function resolveOptions(cmd) {
   const opts = cmd.optsWithGlobals();
   const config = loadConfig(opts.profile);
@@ -1421,7 +1436,7 @@ function addMeApiKeysSubcommand(me) {
       command: "geonic me api-keys list"
     }
   ]);
-  const create = apiKeys.command("create [json]").description("Create a new API key").option("--name <name>", "Key name").option("--scopes <scopes>", "Allowed scopes (comma-separated)").option("--origins <origins>", "Allowed origins (comma-separated)").option("--entity-types <types>", "Allowed entity types (comma-separated)").option("--rate-limit <n>", "Rate limit per minute").option("--dpop-required", "Require DPoP token binding").option("--save", "Save the API key to config for automatic use").action(
+  const create = apiKeys.command("create [json]").description("Create a new API key").option("--name <name>", "Key name").option("--scopes <scopes>", "Allowed scopes (comma-separated)").option("--origins <origins>", "Allowed origins (comma-separated)").option("--entity-types <types>", "Allowed entity types (comma-separated)").option("--rate-limit <n>", "Rate limit per minute").option("--dpop-required", "Require DPoP token binding").option("--permissions <perms>", "Comma-separated permissions (read, write, create, update, delete)").option("--save", "Save the API key to config for automatic use").action(
     withErrorHandler(async (json, _opts, cmd) => {
       const opts = cmd.opts();
       if (opts.origins !== void 0) {
@@ -1434,13 +1449,14 @@ function addMeApiKeysSubcommand(me) {
       let body;
       if (json) {
         body = await parseJsonInput(json);
-      } else if (opts.name || opts.scopes || opts.origins || opts.entityTypes || opts.rateLimit || opts.dpopRequired !== void 0) {
+      } else if (opts.name || opts.scopes || opts.origins || opts.entityTypes || opts.rateLimit || opts.dpopRequired !== void 0 || opts.permissions) {
         const payload = {};
         if (opts.name) payload.name = opts.name;
         if (opts.scopes) payload.allowedScopes = opts.scopes.split(",").map((s) => s.trim()).filter(Boolean);
         if (opts.origins) payload.allowedOrigins = opts.origins.split(",").map((s) => s.trim()).filter(Boolean);
         if (opts.entityTypes) payload.allowedEntityTypes = opts.entityTypes.split(",").map((s) => s.trim()).filter(Boolean);
         if (opts.dpopRequired !== void 0) payload.dpopRequired = opts.dpopRequired;
+        if (opts.permissions) payload.permissions = parsePermissions(opts.permissions);
         if (opts.rateLimit) {
           const raw = opts.rateLimit.trim();
           if (!/^\d+$/.test(raw)) {
@@ -1489,12 +1505,22 @@ function addMeApiKeysSubcommand(me) {
       console.error("API key created.");
     })
   );
-  addNotes(create, SCOPES_HELP_NOTES);
+  addNotes(create, [
+    ...API_KEY_SCOPES_HELP_NOTES,
+    "",
+    "Valid permissions: read, write, create, update, delete",
+    "  write = create + update + delete",
+    "  Permissions auto-generate XACML policies (allowedEntityTypes respected)."
+  ]);
   addExamples(create, [
     {
       description: "Create an API key with flags",
       command: "geonic me api-keys create --name my-app --scopes read:entities --origins 'https://example.com'"
     },
+    {
+      description: "Create with permissions (auto-generates XACML policy)",
+      command: "geonic me api-keys create --name my-app --permissions read,write --save"
+    },
     {
       description: "Create and save API key to config",
       command: "geonic me api-keys create --name my-app --save"
@@ -3196,7 +3222,7 @@ function registerUsersCommand(parent) {
     }
   ]);
   const create = users.command("create [json]").description(
-    'Create a new user\n\nJSON payload example:\n  {\n    "email": "user@example.com",\n    "password": "SecurePassword123!",\n    "role": "super_admin"\n  }'
+    'Create a new user\n\nJSON payload example:\n  {\n    "email": "user@example.com",\n    "password": "SecurePassword123!",\n    "role": "tenant_admin",\n    "tenantId": "<tenant-id>"\n  }\n\nRoles: super_admin, tenant_admin, user\ntenantId is required for tenant_admin and user roles.'
   ).action(
     withErrorHandler(async (json, _opts, cmd) => {
       const body = await parseJsonInput(json);
@@ -3211,8 +3237,12 @@ function registerUsersCommand(parent) {
   );
   addExamples(create, [
     {
-      description: "Create with inline JSON",
-      command: `geonic admin users create '{"email":"user@example.com","password":"SecurePassword123!","role":"super_admin"}'`
+      description: "Create a tenant admin",
+      command: `geonic admin users create '{"email":"admin@example.com","password":"SecurePass12345!","role":"tenant_admin","tenantId":"<tenant-id>"}'`
+    },
+    {
+      description: "Create a user for a tenant",
+      command: `geonic admin users create '{"email":"user@example.com","password":"SecurePass12345!","role":"user","tenantId":"<tenant-id>"}'`
     },
     {
       description: "Create from a JSON file",
@@ -3356,7 +3386,7 @@ function registerPoliciesCommand(parent) {
     }
   ]);
   const create = policies.command("create [json]").description(
-    'Create a new policy\n\nJSON payload example:\n  {\n    "description": "Allow all entities",\n    "rules": [{"ruleId": "allow-all", "effect": "Permit"}]\n  }'
+    'Create a new policy\n\nJSON payload examples:\n\n  Allow all entities:\n  {\n    "description": "Allow all entities",\n    "rules": [{"ruleId": "allow-all", "effect": "Permit"}]\n  }\n\n  Allow GET access to a specific entity type:\n  {\n    "description": "Allow GET access to Landmark entities",\n    "target": {\n      "resources": [{"attributeId": "entityType", "matchValue": "Landmark"}],\n      "actions": [{"attributeId": "method", "matchValue": "GET"}]\n    },\n    "rules": [{"ruleId": "permit-get", "effect": "Permit"}]\n  }\n\nTarget fields:\n  subjects   \u2014 attributeId: role, userId, email, tenantId\n  resources  \u2014 attributeId: path, entityType, entityId, entityOwner, tenantService, servicePath\n  actions    \u2014 attributeId: method (GET, POST, PATCH, DELETE)\n\nEach element: {attributeId, matchValue, matchFunction?}\n  matchFunction: "string-equal" (default) | "string-regexp" | "glob"\n\nPriority: higher number = higher priority (default: 0).\n  Custom policies (e.g. 100) override default role policies (0).\n\nDefault role policies (priority 0):\n  user \u2192 GET only, api_key \u2192 all Deny, anonymous \u2192 all Deny'
   ).action(
     withErrorHandler(async (json, _opts, cmd) => {
       const body = await parseJsonInput(json);
@@ -3374,6 +3404,18 @@ function registerPoliciesCommand(parent) {
       description: "Create with inline JSON",
       command: `geonic admin policies create '{"description":"Allow all entities","rules":[{"ruleId":"allow-all","effect":"Permit"}]}'`
     },
+    {
+      description: "Create with target (entity type + method)",
+      command: `geonic admin policies create '{"description":"Allow GET Landmark","target":{"resources":[{"attributeId":"entityType","matchValue":"Landmark"}],"actions":[{"attributeId":"method","matchValue":"GET"}]},"rules":[{"ruleId":"permit-get","effect":"Permit"}]}'`
+    },
+    {
+      description: "Create anonymous access policy",
+      command: `geonic admin policies create '{"policyId":"public-read","target":{"subjects":[{"attributeId":"role","matchValue":"anonymous"}],"resources":[{"attributeId":"entityType","matchValue":"WeatherObserved"}],"actions":[{"attributeId":"method","matchValue":"GET"}]},"rules":[{"effect":"Permit"}]}'`
+    },
+    {
+      description: "Create servicePath-based policy (glob match)",
+      command: `geonic admin policies create '{"description":"Allow read on /opendata/**","priority":100,"target":{"resources":[{"attributeId":"servicePath","matchValue":"/opendata/**","matchFunction":"glob"}],"actions":[{"attributeId":"method","matchValue":"GET"}]},"rules":[{"effect":"Permit"}]}'`
+    },
     {
       description: "Create from a JSON file",
       command: "geonic admin policies create @policy.json"
@@ -3672,6 +3714,7 @@ function buildBodyFromFlags(opts) {
     payload.rateLimit = { perMinute };
   }
   if (opts.dpopRequired !== void 0) payload.dpopRequired = opts.dpopRequired;
+  if (opts.permissions) payload.permissions = parsePermissions(opts.permissions);
   if (opts.tenantId) payload.tenantId = opts.tenantId;
   return payload;
 }
@@ -3717,14 +3760,14 @@ function registerApiKeysCommand(parent) {
       command: "geonic admin api-keys get <key-id>"
     }
   ]);
-  const create = apiKeys.command("create [json]").description("Create a new API key").option("--name <name>", "Key name").option("--scopes <scopes>", "Comma-separated scopes").option("--origins <origins>", "Comma-separated origins").option("--entity-types <types>", "Comma-separated entity types").option("--rate-limit <n>", "Rate limit per minute").option("--dpop-required", "Require DPoP token binding").option("--tenant-id <id>", "Tenant ID").option("--save", "Save the API key to profile config").action(
+  const create = apiKeys.command("create [json]").description("Create a new API key").option("--name <name>", "Key name").option("--scopes <scopes>", "Comma-separated scopes").option("--origins <origins>", "Comma-separated origins").option("--entity-types <types>", "Comma-separated entity types").option("--rate-limit <n>", "Rate limit per minute").option("--dpop-required", "Require DPoP token binding").option("--permissions <perms>", "Comma-separated permissions (read, write, create, update, delete)").option("--tenant-id <id>", "Tenant ID").option("--save", "Save the API key to profile config").action(
     withErrorHandler(async (json, _opts, cmd) => {
       const opts = cmd.opts();
       validateOrigins(void 0, opts);
       let body;
       if (json) {
         body = await parseJsonInput(json);
-      } else if (opts.name || opts.scopes || opts.origins || opts.entityTypes || opts.rateLimit || opts.dpopRequired !== void 0 || opts.tenantId) {
+      } else if (opts.name || opts.scopes || opts.origins || opts.entityTypes || opts.rateLimit || opts.dpopRequired !== void 0 || opts.permissions || opts.tenantId) {
         body = buildBodyFromFlags(opts);
       } else {
         body = await parseJsonInput();
@@ -3756,12 +3799,22 @@ function registerApiKeysCommand(parent) {
       console.error("API key created.");
     })
   );
-  addNotes(create, SCOPES_HELP_NOTES);
+  addNotes(create, [
+    ...API_KEY_SCOPES_HELP_NOTES,
+    "",
+    "Valid permissions: read, write, create, update, delete",
+    "  write = create + update + delete",
+    "  Permissions auto-generate XACML policies (allowedEntityTypes respected)."
+  ]);
   addExamples(create, [
     {
       description: "Create an API key with flags",
       command: "geonic admin api-keys create --name my-key --scopes read:entities,write:entities --origins '*'"
     },
+    {
+      description: "Create with permissions (auto-generates XACML policy)",
+      command: "geonic admin api-keys create --name my-key --permissions read,write --origins '*'"
+    },
     {
       description: "Create an API key with DPoP required",
       command: "geonic admin api-keys create --name my-key --dpop-required"
@@ -3771,7 +3824,7 @@ function registerApiKeysCommand(parent) {
       command: "geonic admin api-keys create @key.json --save"
     }
   ]);
-  const update = apiKeys.command("update <keyId> [json]").description("Update an API key").option("--name <name>", "Key name").option("--scopes <scopes>", "Comma-separated scopes").option("--origins <origins>", "Comma-separated origins").option("--entity-types <types>", "Comma-separated entity types").option("--rate-limit <n>", "Rate limit per minute").option("--dpop-required", "Require DPoP token binding").option("--no-dpop-required", "Disable DPoP token binding").action(
+  const update = apiKeys.command("update <keyId> [json]").description("Update an API key").option("--name <name>", "Key name").option("--scopes <scopes>", "Comma-separated scopes").option("--origins <origins>", "Comma-separated origins").option("--entity-types <types>", "Comma-separated entity types").option("--rate-limit <n>", "Rate limit per minute").option("--dpop-required", "Require DPoP token binding").option("--no-dpop-required", "Disable DPoP token binding").option("--permissions <perms>", "Comma-separated permissions (read, write, create, update, delete)").action(
     withErrorHandler(
       async (keyId, json, _opts, cmd) => {
         const opts = cmd.opts();
@@ -3779,7 +3832,7 @@ function registerApiKeysCommand(parent) {
         let body;
         if (json) {
           body = await parseJsonInput(json);
-        } else if (opts.name || opts.scopes || opts.origins || opts.entityTypes || opts.rateLimit || opts.dpopRequired !== void 0) {
+        } else if (opts.name || opts.scopes || opts.origins || opts.entityTypes || opts.rateLimit || opts.dpopRequired !== void 0 || opts.permissions) {
           body = buildBodyFromFlags(opts);
         } else {
           body = await parseJsonInput();
@@ -3797,12 +3850,22 @@ function registerApiKeysCommand(parent) {
       }
     )
   );
-  addNotes(update, SCOPES_HELP_NOTES);
+  addNotes(update, [
+    ...API_KEY_SCOPES_HELP_NOTES,
+    "",
+    "Valid permissions: read, write, create, update, delete",
+    "  write = create + update + delete",
+    "  Permissions auto-generate XACML policies (allowedEntityTypes respected)."
+  ]);
   addExamples(update, [
     {
       description: "Update an API key name",
       command: "geonic admin api-keys update <key-id> --name new-name"
     },
+    {
+      description: "Update permissions",
+      command: "geonic admin api-keys update <key-id> --permissions read,write"
+    },
     {
       description: "Enable DPoP requirement",
       command: "geonic admin api-keys update <key-id> --dpop-required"