npm - @jmruthers/pace-core - Versions diffs - 0.5.39 → 0.5.41 - Mend

@jmruthers/pace-core 0.5.39 → 0.5.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (101) hide show

package/src/rbac/cli/policy-manager.ts ADDED Viewed

@@ -0,0 +1,443 @@
+#!/usr/bin/env node
+/**
+ * RBAC Policy Manager CLI Tool
+ *
+ * This tool provides command-line interface for managing RBAC-RLS integration policies.
+ * It allows developers and administrators to easily manage dynamic permission policies.
+ */
+import { createClient } from '@supabase/supabase-js';
+import { Command } from 'commander';
+import chalk from 'chalk';
+import ora from 'ora';
+import Table from 'cli-table3';
+interface PolicyConfig {
+  table_name: string;
+  page_name: string;
+  app_name: string;
+  organisation_column: string;
+  event_column?: string;
+  operations: string[];
+  is_active: boolean;
+}
+interface PolicyAudit {
+  table_name: string;
+  policy_name: string;
+  operation: string;
+  action: string;
+  changed_at: string;
+  success: boolean;
+  error_message?: string;
+}
+interface HealthCheck {
+  table_name: string;
+  policy_name: string;
+  operation: string;
+  is_healthy: boolean;
+  issues: string[];
+}
+class PolicyManager {
+  private supabase: any;
+  constructor(url: string, key: string) {
+    this.supabase = createClient(url, key);
+  }
+  /**
+   * List all registered tables
+   */
+  async listTables(): Promise<void> {
+    const spinner = ora('Fetching registered tables...').start();
+    try {
+      const { data, error } = await this.supabase
+        .from('rbac_policy_configs')
+        .select('*')
+        .eq('is_active', true)
+        .order('table_name');
+      if (error) throw error;
+      spinner.succeed('Fetched registered tables');
+      if (data.length === 0) {
+        console.log(chalk.yellow('No tables registered for RBAC policy management.'));
+        return;
+      }
+      const table = new Table({
+        head: ['Table', 'Page', 'App', 'Org Column', 'Event Column', 'Operations'],
+        colWidths: [20, 15, 10, 15, 15, 30]
+      });
+      data.forEach((config: PolicyConfig) => {
+        table.push([
+          config.table_name,
+          config.page_name,
+          config.app_name,
+          config.organisation_column,
+          config.event_column || 'N/A',
+          config.operations.join(', ')
+        ]);
+      });
+      console.log(table.toString());
+    } catch (error) {
+      spinner.fail('Failed to fetch tables');
+      console.error(chalk.red('Error:'), error instanceof Error ? error.message : String(error));
+    }
+  }
+  /**
+   * Register a new table for RBAC policy management
+   */
+  async registerTable(
+    tableName: string,
+    pageName: string,
+    appName: string = 'CAKE',
+    orgColumn: string = 'organisation_id',
+    eventColumn?: string,
+    operations: string[] = ['read', 'create', 'update', 'delete']
+  ): Promise<void> {
+    const spinner = ora(`Registering table ${tableName}...`).start();
+    try {
+      const { data, error } = await this.supabase
+        .rpc('register_rbac_table', {
+          p_table_name: tableName,
+          p_page_name: pageName,
+          p_app_name: appName,
+          p_organisation_column: orgColumn,
+          p_event_column: eventColumn,
+          p_operations: operations
+        });
+      if (error) throw error;
+      if (data) {
+        spinner.succeed(`Successfully registered table ${tableName}`);
+      } else {
+        spinner.fail(`Failed to register table ${tableName}`);
+      }
+    } catch (error) {
+      spinner.fail(`Failed to register table ${tableName}`);
+      console.error(chalk.red('Error:'), error instanceof Error ? error.message : String(error));
+    }
+  }
+  /**
+   * Update policies for a specific table
+   */
+  async updateTable(tableName: string, pageName: string, appName: string = 'CAKE'): Promise<void> {
+    const spinner = ora(`Updating policies for ${tableName}...`).start();
+    try {
+      const { data, error } = await this.supabase
+        .rpc('update_rbac_policies_for_table', {
+          p_table_name: tableName,
+          p_page_name: pageName,
+          p_app_name: appName
+        });
+      if (error) throw error;
+      if (data) {
+        spinner.succeed(`Successfully updated policies for ${tableName}`);
+      } else {
+        spinner.fail(`Failed to update policies for ${tableName}`);
+      }
+    } catch (error) {
+      spinner.fail(`Failed to update policies for ${tableName}`);
+      console.error(chalk.red('Error:'), error instanceof Error ? error.message : String(error));
+    }
+  }
+  /**
+   * Update all RBAC policies
+   */
+  async updateAll(): Promise<void> {
+    const spinner = ora('Updating all RBAC policies...').start();
+    try {
+      const { data, error } = await this.supabase
+        .rpc('update_all_rbac_policies');
+      if (error) throw error;
+      spinner.succeed('Updated all RBAC policies');
+      // Display results
+      const table = new Table({
+        head: ['Table', 'Page', 'App', 'Success', 'Error'],
+        colWidths: [20, 15, 10, 10, 30]
+      });
+      data.forEach((result: any) => {
+        table.push([
+          result.table_name,
+          result.page_name,
+          result.app_name,
+          result.success ? chalk.green('✓') : chalk.red('✗'),
+          result.error_message || ''
+        ]);
+      });
+      console.log(table.toString());
+    } catch (error) {
+      spinner.fail('Failed to update all policies');
+      console.error(chalk.red('Error:'), error instanceof Error ? error.message : String(error));
+    }
+  }
+  /**
+   * Check policy health
+   */
+  async checkHealth(): Promise<void> {
+    const spinner = ora('Checking policy health...').start();
+    try {
+      const { data, error } = await this.supabase
+        .rpc('check_rbac_policy_health');
+      if (error) throw error;
+      spinner.succeed('Policy health check complete');
+      if (data.length === 0) {
+        console.log(chalk.yellow('No policies found.'));
+        return;
+      }
+      const healthyPolicies = data.filter((h: HealthCheck) => h.is_healthy);
+      const unhealthyPolicies = data.filter((h: HealthCheck) => !h.is_healthy);
+      console.log(chalk.green(`✓ ${healthyPolicies.length} healthy policies`));
+      console.log(chalk.red(`✗ ${unhealthyPolicies.length} unhealthy policies`));
+      if (unhealthyPolicies.length > 0) {
+        console.log('\n' + chalk.red('Unhealthy Policies:'));
+        const table = new Table({
+          head: ['Table', 'Policy', 'Operation', 'Issues'],
+          colWidths: [20, 25, 10, 40]
+        });
+        unhealthyPolicies.forEach((policy: HealthCheck) => {
+          table.push([
+            policy.table_name,
+            policy.policy_name,
+            policy.operation,
+            policy.issues.join(', ')
+          ]);
+        });
+        console.log(table.toString());
+      }
+    } catch (error) {
+      spinner.fail('Failed to check policy health');
+      console.error(chalk.red('Error:'), error instanceof Error ? error.message : String(error));
+    }
+  }
+  /**
+   * Show policy audit log
+   */
+  async showAudit(limit: number = 20): Promise<void> {
+    const spinner = ora('Fetching audit log...').start();
+    try {
+      const { data, error } = await this.supabase
+        .from('rbac_policy_audit')
+        .select('*')
+        .order('changed_at', { ascending: false })
+        .limit(limit);
+      if (error) throw error;
+      spinner.succeed('Fetched audit log');
+      if (data.length === 0) {
+        console.log(chalk.yellow('No audit entries found.'));
+        return;
+      }
+      const table = new Table({
+        head: ['Table', 'Policy', 'Operation', 'Action', 'Success', 'Changed At'],
+        colWidths: [15, 20, 10, 10, 8, 20]
+      });
+      data.forEach((audit: PolicyAudit) => {
+        table.push([
+          audit.table_name,
+          audit.policy_name,
+          audit.operation,
+          audit.action,
+          audit.success ? chalk.green('✓') : chalk.red('✗'),
+          new Date(audit.changed_at).toLocaleString()
+        ]);
+      });
+      console.log(table.toString());
+    } catch (error) {
+      spinner.fail('Failed to fetch audit log');
+      console.error(chalk.red('Error:'), error instanceof Error ? error.message : String(error));
+    }
+  }
+  /**
+   * Test permission check
+   */
+  async testPermission(
+    operation: string,
+    pageName: string,
+    orgId: string,
+    eventId?: string,
+    appName: string = 'CAKE'
+  ): Promise<void> {
+    const spinner = ora('Testing permission check...').start();
+    try {
+      const { data, error } = await this.supabase
+        .rpc('check_rbac_permission_with_context', {
+          p_operation: operation,
+          p_page_name: pageName,
+          p_resource_organisation_id: orgId,
+          p_resource_event_id: eventId,
+          p_app_name: appName
+        });
+      if (error) throw error;
+      spinner.succeed('Permission check complete');
+      const result = data ? chalk.green('ALLOWED') : chalk.red('DENIED');
+      console.log(`Permission: ${operation} on ${pageName} = ${result}`);
+    } catch (error) {
+      spinner.fail('Failed to test permission');
+      console.error(chalk.red('Error:'), error instanceof Error ? error.message : String(error));
+    }
+  }
+}
+// CLI Setup
+const program = new Command();
+program
+  .name('rbac-policy-manager')
+  .description('CLI tool for managing RBAC-RLS integration policies')
+  .version('1.0.0');
+// Global options
+program
+  .option('-u, --url <url>', 'Supabase URL', process.env.SUPABASE_URL)
+  .option('-k, --key <key>', 'Supabase service key', process.env.SUPABASE_SERVICE_ROLE_KEY)
+  .option('--verbose', 'Enable verbose output');
+// List tables command
+program
+  .command('list')
+  .description('List all registered tables')
+  .action(async (options) => {
+    const url = options.parent?.url || process.env.SUPABASE_URL;
+    const key = options.parent?.key || process.env.SUPABASE_SERVICE_ROLE_KEY;
+    const manager = new PolicyManager(url, key);
+    await manager.listTables();
+  });
+// Register table command
+program
+  .command('register <tableName> <pageName>')
+  .description('Register a table for RBAC policy management')
+  .option('-a, --app <appName>', 'App name', 'CAKE')
+  .option('-o, --org-column <column>', 'Organisation column name', 'organisation_id')
+  .option('-e, --event-column <column>', 'Event column name')
+  .option('--operations <operations>', 'Comma-separated operations', 'read,create,update,delete')
+  .action(async (tableName, pageName, options) => {
+    const operations = options.operations.split(',').map((op: string) => op.trim());
+    const url = options.parent?.url || process.env.SUPABASE_URL;
+    const key = options.parent?.key || process.env.SUPABASE_SERVICE_ROLE_KEY;
+    const manager = new PolicyManager(url, key);
+    await manager.registerTable(
+      tableName,
+      pageName,
+      options.app,
+      options.orgColumn,
+      options.eventColumn,
+      operations
+    );
+  });
+// Update table command
+program
+  .command('update <tableName> <pageName>')
+  .description('Update policies for a specific table')
+  .option('-a, --app <appName>', 'App name', 'CAKE')
+  .action(async (tableName, pageName, options) => {
+    const url = options.parent?.url || process.env.SUPABASE_URL;
+    const key = options.parent?.key || process.env.SUPABASE_SERVICE_ROLE_KEY;
+    const manager = new PolicyManager(url, key);
+    await manager.updateTable(tableName, pageName, options.app);
+  });
+// Update all command
+program
+  .command('update-all')
+  .description('Update all RBAC policies')
+  .action(async (options) => {
+    const url = options.url || process.env.SUPABASE_URL;
+    const key = options.key || process.env.SUPABASE_SERVICE_ROLE_KEY;
+    const manager = new PolicyManager(url, key);
+    await manager.updateAll();
+  });
+// Health check command
+program
+  .command('health')
+  .description('Check policy health')
+  .action(async (options) => {
+    const url = options.url || process.env.SUPABASE_URL;
+    const key = options.key || process.env.SUPABASE_SERVICE_ROLE_KEY;
+    const manager = new PolicyManager(url, key);
+    await manager.checkHealth();
+  });
+// Audit command
+program
+  .command('audit')
+  .description('Show policy audit log')
+  .option('-l, --limit <number>', 'Number of entries to show', '20')
+  .action(async (options) => {
+    const url = options.parent?.url || process.env.SUPABASE_URL;
+    const key = options.parent?.key || process.env.SUPABASE_SERVICE_ROLE_KEY;
+    const manager = new PolicyManager(url, key);
+    await manager.showAudit(parseInt(options.limit));
+  });
+// Test permission command
+program
+  .command('test <operation> <pageName> <orgId>')
+  .description('Test a permission check')
+  .option('-e, --event-id <eventId>', 'Event ID')
+  .option('-a, --app <appName>', 'App name', 'CAKE')
+  .action(async (operation, pageName, orgId, options) => {
+    const url = options.parent?.url || process.env.SUPABASE_URL;
+    const key = options.parent?.key || process.env.SUPABASE_SERVICE_ROLE_KEY;
+    const manager = new PolicyManager(url, key);
+    await manager.testPermission(operation, pageName, orgId, options.eventId, options.app);
+  });
+// Parse command line arguments
+program.parse(process.argv);
+// Handle missing required options
+if (!process.env.SUPABASE_URL || !process.env.SUPABASE_SERVICE_ROLE_KEY) {
+  console.error(chalk.red('Error: Missing required environment variables'));
+  console.error('Please set SUPABASE_URL and SUPABASE_SERVICE_ROLE_KEY');
+  process.exit(1);
+}
+export { PolicyManager };