@jmruthers/pace-core 0.6.4 → 0.6.6

package/src/rbac/compliance/pattern-detector.ts

@@ -0,0 +1,553 @@
+/**
+ * Pattern Detector for RBAC Compliance
+ * @package @jmruthers/pace-core
+ * @module RBAC/Compliance/PatternDetector
+ * @since 1.0.0
+ * 
+ * This module provides static and runtime pattern detection for RBAC violations.
+ * It detects direct RPC calls, direct table queries, and other non-standard patterns.
+ */
+
+import { getRBACLogger } from '../config';
+
+export interface PatternViolation {
+  type: 'direct-rpc-call' | 'direct-table-query' | 'bypass-pattern' | 'custom-component' | 'hardcoded-role-check' | 'custom-permission-utility' | 'ui-only-access-control' | 'permission-bypass-comment' | 'resource-permission-string-literal' | 'permission-wrapper-function';
+  file?: string;
+  line?: number;
+  message: string;
+  recommendation: string;
+}
+
+export interface PatternDetectionResult {
+  violations: PatternViolation[];
+  isCompliant: boolean;
+  summary: {
+    directRpcCalls: number;
+    directTableQueries: number;
+    bypassPatterns: number;
+    customComponents: number;
+    hardcodedRoleChecks: number;
+    customPermissionUtilities: number;
+    uiOnlyAccessControl: number;
+    permissionBypassComments: number;
+    resourcePermissionStringLiterals: number;
+    permissionWrapperFunctions: number;
+  };
+}
+
+/**
+ * RBAC table names that should not be queried directly
+ */
+const RBAC_TABLES = [
+  'rbac_organisation_roles',
+  'rbac_event_app_roles',
+  'rbac_global_roles',
+  'rbac_apps',
+  'rbac_app_pages',
+  'rbac_page_permissions',
+  'rbac_user_profiles'
+];
+
+/**
+ * Detect direct RPC calls to rbac_check_permission_simplified
+ * 
+ * @param code - Source code to analyze
+ * @param filePath - File path for reporting
+ * @returns Array of violations
+ */
+export function detectDirectRpcCalls(code: string, filePath?: string): PatternViolation[] {
+  const violations: PatternViolation[] = [];
+  const lines = code.split('\n');
+  
+  // Skip if this is in pace-core package itself
+  if (filePath && (filePath.includes('packages/core/src/rbac') || filePath.includes('packages\\core\\src\\rbac'))) {
+    return violations;
+  }
+  
+  // Pattern: .rpc('rbac_check_permission_simplified', ...)
+  const rpcPattern = /\.rpc\s*\(\s*['"]rbac_check_permission_simplified['"]/g;
+  let match;
+  let lineNumber = 1;
+  
+  for (const line of lines) {
+    if (rpcPattern.test(line)) {
+      violations.push({
+        type: 'direct-rpc-call',
+        file: filePath,
+        line: lineNumber,
+        message: `Direct RPC call to 'rbac_check_permission_simplified' detected`,
+        recommendation: "Use isPermitted() from '@jmruthers/pace-core/rbac' instead of calling the RPC directly."
+      });
+    }
+    lineNumber++;
+  }
+  
+  return violations;
+}
+
+/**
+ * Detect direct queries to RBAC tables
+ * 
+ * @param code - Source code to analyze
+ * @param filePath - File path for reporting
+ * @returns Array of violations
+ */
+export function detectDirectTableQueries(code: string, filePath?: string): PatternViolation[] {
+  const violations: PatternViolation[] = [];
+  const lines = code.split('\n');
+  
+  // Skip if this is in pace-core package itself
+  if (filePath && (filePath.includes('packages/core/src/rbac') || filePath.includes('packages\\core\\src\\rbac'))) {
+    return violations;
+  }
+  
+  // Pattern: .from('rbac_*')
+  const fromPattern = /\.from\s*\(\s*['"](rbac_\w+)['"]/g;
+  let lineNumber = 1;
+  
+  for (const line of lines) {
+    let match;
+    while ((match = fromPattern.exec(line)) !== null) {
+      const tableName = match[1];
+      if (RBAC_TABLES.includes(tableName) || tableName.startsWith('rbac_')) {
+        violations.push({
+          type: 'direct-table-query',
+          file: filePath,
+          line: lineNumber,
+          message: `Direct query to RBAC table '${tableName}' detected`,
+          recommendation: `Use pace-core RBAC API functions from '@jmruthers/pace-core/rbac' instead of querying '${tableName}' directly.`
+        });
+      }
+    }
+    lineNumber++;
+  }
+  
+  return violations;
+}
+
+/**
+ * Detect custom access denied components
+ * 
+ * @param code - Source code to analyze
+ * @param filePath - File path for reporting
+ * @returns Array of violations
+ */
+export function detectCustomAccessDeniedComponents(code: string, filePath?: string): PatternViolation[] {
+  const violations: PatternViolation[] = [];
+  const lines = code.split('\n');
+  
+  // Skip if this is in pace-core package itself
+  if (filePath && (filePath.includes('packages/core/src/rbac') || filePath.includes('packages\\core\\src\\rbac'))) {
+    return violations;
+  }
+  
+  // Check if AccessDenied is imported from pace-core
+  const hasPaceCoreAccessDenied = /from\s+['"]@jmruthers\/pace-core\/rbac['"].*AccessDenied/.test(code) ||
+                                   /import.*AccessDenied.*from\s+['"]@jmruthers\/pace-core\/rbac['"]/.test(code);
+  
+  if (hasPaceCoreAccessDenied) {
+    return violations; // Using pace-core AccessDenied, no violation
+  }
+  
+  // Pattern: function AccessDenied, const AccessDenied, export AccessDenied, etc.
+  const accessDeniedPatterns = [
+    /(?:function|const|export\s+(?:function|const)?)\s+(AccessDenied|PermissionDenied|AccessDeniedPage|PermissionDeniedPage|Unauthorized|UnauthorizedPage)\s*[=:]/g,
+    /export\s+default\s+(?:function\s+)?(AccessDenied|PermissionDenied|AccessDeniedPage|PermissionDeniedPage|Unauthorized|UnauthorizedPage)/g
+  ];
+  
+  let lineNumber = 1;
+  
+  for (const line of lines) {
+    for (const pattern of accessDeniedPatterns) {
+      const match = pattern.exec(line);
+      if (match) {
+        const componentName = match[1];
+        violations.push({
+          type: 'custom-component',
+          file: filePath,
+          line: lineNumber,
+          message: `Custom access denied component '${componentName}' detected`,
+          recommendation: `Use AccessDenied from '@jmruthers/pace-core/rbac' instead of creating a custom '${componentName}' component.`
+        });
+      }
+    }
+    lineNumber++;
+  }
+  
+  return violations;
+}
+
+/**
+ * Detect hardcoded role checks (e.g., role === 'admin', user.role === 'org_admin')
+ * 
+ * @param code - Source code to analyze
+ * @param filePath - File path for reporting
+ * @returns Array of violations
+ */
+export function detectHardcodedRoleChecks(code: string, filePath?: string): PatternViolation[] {
+  const violations: PatternViolation[] = [];
+  const lines = code.split('\n');
+  
+  // Skip if this is in pace-core package itself
+  if (filePath && (filePath.includes('packages/core/src/rbac') || filePath.includes('packages\\core\\src\\rbac'))) {
+    return violations;
+  }
+  
+  // Pattern: role === 'admin', user.role === 'org_admin', etc.
+  // Common role names to detect
+  const roleNames = ['admin', 'org_admin', 'event_admin', 'user', 'member', 'viewer', 'editor'];
+  const roleCheckPattern = new RegExp(
+    `(?:role|user\\.role|userRole|currentRole|userRoleName)\\s*(?:===|!==|==|!=)\\s*['"](${roleNames.join('|')})['"]`,
+    'gi'
+  );
+  
+  let lineNumber = 1;
+  
+  for (const line of lines) {
+    const match = roleCheckPattern.exec(line);
+    if (match) {
+      const roleName = match[1];
+      violations.push({
+        type: 'hardcoded-role-check',
+        file: filePath,
+        line: lineNumber,
+        message: `Hardcoded role check detected: comparing role to '${roleName}'`,
+        recommendation: "Use useAccessLevel hook or getRoleContext API from '@jmruthers/pace-core/rbac' instead of hardcoded role checks."
+      });
+    }
+    lineNumber++;
+  }
+  
+  return violations;
+}
+
+/**
+ * Detect custom permission utility functions (e.g., checkPermission, hasPermission, canAccess)
+ * 
+ * @param code - Source code to analyze
+ * @param filePath - File path for reporting
+ * @returns Array of violations
+ */
+export function detectCustomPermissionUtilities(code: string, filePath?: string): PatternViolation[] {
+  const violations: PatternViolation[] = [];
+  const lines = code.split('\n');
+  
+  // Skip if this is in pace-core package itself
+  if (filePath && (filePath.includes('packages/core/src/rbac') || filePath.includes('packages\\core\\src\\rbac'))) {
+    return violations;
+  }
+  
+  // Check if pace-core permission functions are imported
+  const hasPaceCoreImports = /from\s+['"]@jmruthers\/pace-core\/rbac['"]/.test(code);
+  
+  // Pattern: function checkPermission, const hasPermission, export canAccess, etc.
+  const permissionUtilityPatterns = [
+    /(?:function|const|export\s+(?:function|const)?)\s+(checkPermission|hasPermission|canAccess|checkAccess|verifyPermission|hasAccess|canPerform|checkCan|hasCan)\s*[=:]/g,
+    /export\s+default\s+(?:function\s+)?(checkPermission|hasPermission|canAccess|checkAccess|verifyPermission|hasAccess|canPerform|checkCan|hasCan)/g
+  ];
+  
+  let lineNumber = 1;
+  
+  for (const line of lines) {
+    for (const pattern of permissionUtilityPatterns) {
+      const match = pattern.exec(line);
+      if (match) {
+        const functionName = match[1];
+        // Only flag if not importing from pace-core (might be using pace-core functions)
+        if (!hasPaceCoreImports || !line.includes('@jmruthers/pace-core')) {
+          violations.push({
+            type: 'custom-permission-utility',
+            file: filePath,
+            line: lineNumber,
+            message: `Custom permission utility function '${functionName}' detected`,
+            recommendation: `Use isPermitted API or useCan hook from '@jmruthers/pace-core/rbac' instead of creating custom permission utilities.`
+          });
+        }
+      }
+    }
+    lineNumber++;
+  }
+  
+  return violations;
+}
+
+/**
+ * Detect permission bypass comments (e.g., TODO: add permission check, FIXME: security)
+ * 
+ * @param code - Source code to analyze
+ * @param filePath - File path for reporting
+ * @returns Array of violations
+ */
+export function detectPermissionBypassComments(code: string, filePath?: string): PatternViolation[] {
+  const violations: PatternViolation[] = [];
+  const lines = code.split('\n');
+  
+  // Skip if this is in pace-core package itself
+  if (filePath && (filePath.includes('packages/core/src/rbac') || filePath.includes('packages\\core\\src\\rbac'))) {
+    return violations;
+  }
+  
+  // Pattern: TODO/FIXME comments about permissions or security
+  const bypassCommentPattern = /(?:TODO|FIXME|XXX|HACK|NOTE):\s*(?:add|missing|need|fix|implement|check)\s+(?:permission|rbac|access|security|authorization|auth)/gi;
+  
+  let lineNumber = 1;
+  
+  for (const line of lines) {
+    if (bypassCommentPattern.test(line)) {
+      violations.push({
+        type: 'permission-bypass-comment',
+        file: filePath,
+        line: lineNumber,
+        message: `Permission bypass comment detected: ${line.trim()}`,
+        recommendation: "Add proper permission checks using pace-core APIs (isPermitted, useCan, useResourcePermissions) from '@jmruthers/pace-core/rbac'."
+      });
+    }
+    lineNumber++;
+  }
+  
+  return violations;
+}
+
+/**
+ * Detect permission wrapper functions that wrap pace-core hooks with additional logic
+ * 
+ * @param code - Source code to analyze
+ * @param filePath - File path for reporting
+ * @returns Array of violations
+ */
+export function detectPermissionWrapperFunctions(code: string, filePath?: string): PatternViolation[] {
+  const violations: PatternViolation[] = [];
+  const lines = code.split('\n');
+  
+  // Skip if this is in pace-core package itself
+  if (filePath && (filePath.includes('packages/core/src/rbac') || filePath.includes('packages\\core\\src\\rbac'))) {
+    return violations;
+  }
+  
+  // Check if pace-core RBAC is imported
+  const hasPaceCoreRBACImport = /from\s+['"]@jmruthers\/pace-core\/rbac['"]/.test(code);
+  
+  if (!hasPaceCoreRBACImport) {
+    return violations; // Can't have wrapper functions without pace-core imports
+  }
+  
+  // Pattern: Functions that start with 'can' and use permission hooks/functions with additional logic
+  // Examples:
+  // - const canEdit = (postId: string) => { const hasPermission = canUpdate('journal'); const post = posts.find(...); return hasPermission && !!post; };
+  // - function canDeletePost(postId: string) { if (!canDelete('journal')) return false; return posts.find(...); }
+  const permissionHookNames = ['useCan', 'useResourcePermissions', 'usePermissions', 'useMultiplePermissions'];
+  const permissionFunctionNames = ['canCreate', 'canUpdate', 'canDelete', 'canRead', 'can'];
+  
+  // Simple pattern matching for common wrapper function patterns
+  // This is a heuristic - it looks for functions that:
+  // 1. Start with 'can' or contain 'permission'/'access'
+  // 2. Use permission hooks or functions
+  // 3. Have additional logic (&&, ||, .find, .filter, etc.)
+  
+  let lineNumber = 1;
+  let functionStart = -1;
+  let functionName = '';
+  let functionBody = '';
+  let braceDepth = 0;
+  let inFunction = false;
+  
+  for (const line of lines) {
+    // Check for function start
+    const functionMatch = line.match(/(?:function|const|export\s+(?:function|const)?)\s+((?:can\w+|.*Permission.*|.*Access.*))\s*[=:]/);
+    if (functionMatch && !inFunction) {
+      const name = functionMatch[1];
+      // Check if name suggests a permission wrapper
+      if (name.toLowerCase().startsWith('can') || 
+          name.toLowerCase().includes('permission') ||
+          name.toLowerCase().includes('access')) {
+        inFunction = true;
+        functionStart = lineNumber;
+        functionName = name;
+        functionBody = line;
+        braceDepth = (line.match(/{/g) || []).length - (line.match(/}/g) || []).length;
+        continue;
+      }
+    }
+    
+    // If we're in a function, accumulate the body
+    if (inFunction) {
+      functionBody += '\n' + line;
+      braceDepth += (line.match(/{/g) || []).length - (line.match(/}/g) || []).length;
+      
+      // Check if function uses permission hooks/functions
+      const usesPermissionHooks = permissionHookNames.some(hook => functionBody.includes(hook));
+      const usesPermissionFunctions = permissionFunctionNames.some(fn => functionBody.includes(fn));
+      
+      // Check if function has additional logic beyond permission checking
+      const hasAdditionalLogic = (
+        functionBody.includes('&&') ||
+        functionBody.includes('||') ||
+        functionBody.includes('if') ||
+        functionBody.includes('.find') ||
+        functionBody.includes('.filter') ||
+        functionBody.includes('.map') ||
+        (functionBody.match(/return/g) || []).length > 1
+      );
+      
+      // Function ends when brace depth returns to 0 or we hit a semicolon for arrow functions
+      if (braceDepth <= 0 || (functionBody.includes('=>') && line.includes(';') && braceDepth === 0)) {
+        // Check if this is a wrapper function
+        if ((usesPermissionHooks || usesPermissionFunctions) && hasAdditionalLogic && functionBody.includes('(') && functionBody.includes(')')) {
+          violations.push({
+            type: 'permission-wrapper-function',
+            file: filePath,
+            line: functionStart,
+            message: `Permission wrapper function '${functionName}' detected`,
+            recommendation: "Use pace-core hooks (useCan, useResourcePermissions) directly in components instead of wrapping them with additional logic."
+          });
+        }
+        
+        // Reset
+        inFunction = false;
+        functionBody = '';
+        functionName = '';
+        braceDepth = 0;
+        functionStart = -1;
+      }
+    }
+    
+    lineNumber++;
+  }
+  
+  return violations;
+}
+
+/**
+ * Detect resource permission string literals (e.g., useResourcePermissions('journal'))
+ * 
+ * @param code - Source code to analyze
+ * @param filePath - File path for reporting
+ * @returns Array of violations
+ */
+export function detectResourcePermissionStringLiterals(code: string, filePath?: string): PatternViolation[] {
+  const violations: PatternViolation[] = [];
+  const lines = code.split('\n');
+  
+  // Skip if this is in pace-core package itself
+  if (filePath && (filePath.includes('packages/core/src/rbac') || filePath.includes('packages\\core\\src\\rbac'))) {
+    return violations;
+  }
+  
+  // Check if RESOURCE_NAMES constant is imported
+  const hasResourceNamesImport = /import.*RESOURCE_NAMES.*from/.test(code);
+  
+  // Pattern: useResourcePermissions('string-literal') or useResourcePermissions("string-literal")
+  // Exclude if using RESOURCE_NAMES constant
+  const resourcePermissionPattern = /useResourcePermissions\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
+  
+  let lineNumber = 1;
+  
+  for (const line of lines) {
+    // Skip if line uses RESOURCE_NAMES constant
+    if (line.includes('RESOURCE_NAMES.')) {
+      lineNumber++;
+      continue;
+    }
+    
+    let match;
+    while ((match = resourcePermissionPattern.exec(line)) !== null) {
+      const resourceName = match[1];
+      // Only flag if not using RESOURCE_NAMES constant
+      if (!hasResourceNamesImport || !line.includes('RESOURCE_NAMES')) {
+        violations.push({
+          type: 'resource-permission-string-literal',
+          file: filePath,
+          line: lineNumber,
+          message: `Resource permission string literal detected: useResourcePermissions('${resourceName}')`,
+          recommendation: "Use RESOURCE_NAMES constant object instead of string literals. Create RESOURCE_NAMES constant and use RESOURCE_NAMES.JOURNAL, RESOURCE_NAMES.RISKS, etc."
+        });
+      }
+    }
+    lineNumber++;
+  }
+  
+  return violations;
+}
+
+/**
+ * Detect all RBAC pattern violations in code
+ * 
+ * @param code - Source code to analyze
+ * @param filePath - File path for reporting
+ * @returns Pattern detection result
+ */
+export function detectPatternViolations(code: string, filePath?: string): PatternDetectionResult {
+  const rpcViolations = detectDirectRpcCalls(code, filePath);
+  const tableViolations = detectDirectTableQueries(code, filePath);
+  const componentViolations = detectCustomAccessDeniedComponents(code, filePath);
+  const roleCheckViolations = detectHardcodedRoleChecks(code, filePath);
+  const permissionUtilityViolations = detectCustomPermissionUtilities(code, filePath);
+  const bypassCommentViolations = detectPermissionBypassComments(code, filePath);
+  const resourceLiteralViolations = detectResourcePermissionStringLiterals(code, filePath);
+  const wrapperFunctionViolations = detectPermissionWrapperFunctions(code, filePath);
+  
+  const allViolations = [
+    ...rpcViolations,
+    ...tableViolations,
+    ...componentViolations,
+    ...roleCheckViolations,
+    ...permissionUtilityViolations,
+    ...bypassCommentViolations,
+    ...resourceLiteralViolations,
+    ...wrapperFunctionViolations
+  ];
+  
+  return {
+    violations: allViolations,
+    isCompliant: allViolations.length === 0,
+    summary: {
+      directRpcCalls: rpcViolations.length,
+      directTableQueries: tableViolations.length,
+      bypassPatterns: 0, // This would require route analysis
+      customComponents: componentViolations.length,
+      hardcodedRoleChecks: roleCheckViolations.length,
+      customPermissionUtilities: permissionUtilityViolations.length,
+      uiOnlyAccessControl: 0, // This would require cross-file analysis
+      permissionBypassComments: bypassCommentViolations.length,
+      resourcePermissionStringLiterals: resourceLiteralViolations.length,
+      permissionWrapperFunctions: wrapperFunctionViolations.length
+    }
+  };
+}
+
+/**
+ * Log pattern violations to console
+ * 
+ * @param result - Pattern detection result
+ */
+export function logPatternViolations(result: PatternDetectionResult): void {
+  const logger = getRBACLogger();
+  
+  if (result.isCompliant) {
+    logger.info('[RBAC Pattern Detection] No violations detected');
+    return;
+  }
+  
+  logger.warn(`[RBAC Pattern Detection] Found ${result.violations.length} violation(s):`);
+  
+  result.violations.forEach((violation, index) => {
+    const location = violation.file && violation.line 
+      ? `${violation.file}:${violation.line}`
+      : violation.file || 'unknown location';
+    
+    logger.warn(
+      `  ${index + 1}. [${violation.type}] ${violation.message}\n` +
+      `     Location: ${location}\n` +
+      `     Recommendation: ${violation.recommendation}`
+    );
+  });
+  
+  logger.warn(`\nSummary: ${result.summary.directRpcCalls} direct RPC calls, ` +
+    `${result.summary.directTableQueries} direct table queries, ` +
+    `${result.summary.customComponents} custom components, ` +
+    `${result.summary.hardcodedRoleChecks} hardcoded role checks, ` +
+    `${result.summary.customPermissionUtilities} custom permission utilities, ` +
+    `${result.summary.permissionBypassComments} permission bypass comments, ` +
+    `${result.summary.resourcePermissionStringLiterals} resource permission string literals`);
+}
+

package/src/rbac/compliance/runtime-compliance.ts

@@ -9,6 +9,7 @@
 
 import { validateRBACSetup, SetupIssue } from './setup-validator';
 import { getRBACLogger } from '../config';
+import { detectPatternViolations, logPatternViolations, type PatternDetectionResult } from './pattern-detector';
 
 export interface RuntimeComplianceResult {
   setup: {
@@ -20,6 +21,7 @@ export interface RuntimeComplianceResult {
     available: boolean;
     message?: string;
   };
+  patternDetection?: PatternDetectionResult;
 }
 
 /**
@@ -75,3 +77,23 @@ export function validateAndWarn(): void {
   }
 }
 
+/**
+ * Check pattern violations in source code
+ * 
+ * This function analyzes source code for RBAC pattern violations.
+ * It can be used for static analysis or runtime code inspection.
+ * 
+ * @param code - Source code to analyze
+ * @param filePath - Optional file path for better error reporting
+ * @returns Pattern detection result
+ */
+export function checkPatternCompliance(code: string, filePath?: string): PatternDetectionResult {
+  const result = detectPatternViolations(code, filePath);
+  
+  if (!result.isCompliant) {
+    logPatternViolations(result);
+  }
+  
+  return result;
+}
+