@lark-apaas/nestjs-authzpaas 0.1.0-alpha.4 → 0.1.0-alpha.40

package/dist/index.cjs

@@ -24,18 +24,13 @@ __export(index_exports, {
   ANONYMOUS_USER_ID: () => ANONYMOUS_USER_ID,
   AUTHZPAAS_MODULE_OPTIONS: () => AUTHZPAAS_MODULE_OPTIONS,
   AbilityFactory: () => AbilityFactory,
+  AuthZPaasGuard: () => AuthZPaasGuard,
   AuthZPaasModule: () => AuthZPaasModule,
-  CACHE_CONFIG_TOKEN: () => CACHE_CONFIG_TOKEN,
   CanRole: () => CanRole,
-  DEFAULT_LOGIN_PATH: () => DEFAULT_LOGIN_PATH,
-  ENABLE_MOCK_ROLE_KEY: () => ENABLE_MOCK_ROLE_KEY,
-  ENVIRONMENT_KEY: () => ENVIRONMENT_KEY,
-  MOCK_ROLES_COOKIE_KEY: () => MOCK_ROLES_COOKIE_KEY,
-  NEED_LOGIN_KEY: () => NEED_LOGIN_KEY2,
-  PERMISSIONS_KEY: () => PERMISSIONS_KEY,
   PERMISSION_API_CONFIG_TOKEN: () => PERMISSION_API_CONFIG_TOKEN,
   PermissionDeniedException: () => PermissionDeniedException,
   PermissionDeniedType: () => PermissionDeniedType,
+  PermissionService: () => PermissionService,
   ROLES_KEY: () => ROLES_KEY,
   ROLE_SUBJECT: () => ROLE_SUBJECT
 });
@@ -60,7 +55,7 @@ var __name2 = /* @__PURE__ */ __name((target, value) => __defProp2(target, "name
   value,
   configurable: true
 }), "__name");
-var AUTHNPAAS_MODULE_OPTIONS = Symbol("AUTHNPAAS_MODULE_OPTIONS");
+var AUTHNPAAS_MODULE_OPTIONS = /* @__PURE__ */ Symbol("AUTHNPAAS_MODULE_OPTIONS");
 var NEED_LOGIN_KEY = "authnpaas:needLogin";
 function _ts_decorate(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
@@ -96,8 +91,8 @@ var AuthNPaasGuard = class {
       context.getClass()
     ]);
     if (needLoginMeta && !userId && loginUrl) {
-      response.redirect(302, loginUrl);
-      return false;
+      response.setHeader("x-login-url", loginUrl);
+      throw new import_common2.UnauthorizedException("\u672A\u767B\u5F55");
     }
     return true;
   }
@@ -159,16 +154,9 @@ var Public = /* @__PURE__ */ __name2(() => (0, import_common3.SetMetadata)(IS_PU
 
 // src/const.ts
 var ANONYMOUS_USER_ID = "anonymous_user_id";
-var PERMISSION_API_CONFIG_TOKEN = Symbol("PERMISSION_API_CONFIG");
-var CACHE_CONFIG_TOKEN = Symbol("CACHE_CONFIG");
-var AUTHZPAAS_MODULE_OPTIONS = Symbol("AUTHZPAAS_MODULE_OPTIONS");
+var PERMISSION_API_CONFIG_TOKEN = /* @__PURE__ */ Symbol("PERMISSION_API_CONFIG");
+var AUTHZPAAS_MODULE_OPTIONS = /* @__PURE__ */ Symbol("AUTHZPAAS_MODULE_OPTIONS");
 var ROLES_KEY = "authzpaas:roles";
-var PERMISSIONS_KEY = "authzpaas:permissions";
-var ENVIRONMENT_KEY = "authzpaas:environment";
-var NEED_LOGIN_KEY2 = "authzpaas:needLogin";
-var DEFAULT_LOGIN_PATH = "/login";
-var MOCK_ROLES_COOKIE_KEY = "mockRoles";
-var ENABLE_MOCK_ROLE_KEY = "__authzpaas_enableMockRole";
 
 // src/casl/ability.factory.ts
 var import_common5 = require("@nestjs/common");
@@ -250,15 +238,12 @@ var PermissionDeniedException = class _PermissionDeniedException extends import_
   /**
   * 创建角色不足异常
   */
-  static roleRequired(requiredRoles, and = false) {
-    const message = and ? `\u9700\u8981\u6240\u6709\u89D2\u8272: ${requiredRoles.join(", ")}` : `\u9700\u8981\u4EE5\u4E0B\u4EFB\u4E00\u89D2\u8272: ${requiredRoles.join(", ")}`;
+  static roleRequired(requiredRoles) {
+    const message = `\u9700\u8981\u4EE5\u4E0B\u4EFB\u4E00\u89D2\u8272: ${requiredRoles.join(", ")}`;
     return new _PermissionDeniedException({
       type: "ROLE_REQUIRED",
       message,
-      requiredRoles,
-      metadata: {
-        and
-      }
+      requiredRoles
     });
   }
   /**
@@ -286,6 +271,8 @@ var PermissionDeniedException = class _PermissionDeniedException extends import_
 };
 
 // src/services/permission.service.ts
+var import_nestjs_common = require("@lark-apaas/nestjs-common");
+var import_nestjs_common2 = require("@lark-apaas/nestjs-common");
 function _ts_decorate4(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
@@ -303,62 +290,61 @@ function _ts_param(paramIndex, decorator) {
   };
 }
 __name(_ts_param, "_ts_param");
-var PermissionService = class _PermissionService {
+var PermissionService = class {
   static {
     __name(this, "PermissionService");
   }
   apiConfig;
   abilityFactory;
-  logger = new import_common7.Logger(_PermissionService.name);
-  constructor(apiConfig, abilityFactory) {
+  client;
+  requestContextService;
+  constructor(apiConfig, abilityFactory, client, requestContextService) {
     this.apiConfig = apiConfig;
     this.abilityFactory = abilityFactory;
+    this.client = client;
+    this.requestContextService = requestContextService;
   }
   /**
   * 获取用户权限数据
   */
-  async getUserPermissions(requestDto) {
-    const requestPromise = (async () => {
-      const userId = requestDto.userId || ANONYMOUS_USER_ID;
-      try {
-        const permissionData = await this.fetchFromApi(requestDto);
-        const dataWithTimestamp = {
-          ...permissionData,
-          fetchedAt: /* @__PURE__ */ new Date()
-        };
-        return dataWithTimestamp;
-      } catch (error) {
-        this.logger.error(`Failed to fetch permissions for user ${userId}:`, error);
-        throw error;
-      }
-    })();
-    return requestPromise;
+  async getUserPermissions({ laneId }) {
+    const permissionData = await this.fetchFromApi({
+      laneId
+    });
+    const dataWithTimestamp = {
+      ...permissionData,
+      fetchedAt: /* @__PURE__ */ new Date()
+    };
+    return dataWithTimestamp;
   }
   /**
   * 从 API 获取权限数据
   * 内置实现，用户无需配置
   */
-  async fetchFromApi(requestDto) {
+  async fetchFromApi({ laneId }) {
     const { timeout = 5e3 } = this.apiConfig || {};
-    const { baseUrl, userId, appId, cookies, csrfToken } = requestDto;
-    const url = `${baseUrl}/api/v1/permission/apps/${appId}/roles`;
+    const { appId = "", userId = "" } = this.requestContextService.getContext() || {};
+    if (!appId) {
+      throw new PermissionDeniedException({
+        type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
+        message: "appId is empty"
+      }, import_common7.HttpStatus.BAD_REQUEST);
+    }
+    const url = `/app/${appId}/inner/api/v1/permissions/roles`;
     const requestHeaders = {
-      "Content-Type": "application/json"
+      "Content-Type": "application/json",
+      // 透传 laneId 到权限服务
+      ...laneId ? {
+        "x-tt-env": laneId || ""
+      } : {}
     };
-    if (cookies) {
-      const cookieString = Object.entries(cookies).map(([key, value]) => `${key}=${value}`).join("; ");
-      if (cookieString) {
-        requestHeaders.Cookie = cookieString;
-      }
-    }
-    if (csrfToken) {
-      requestHeaders["X-Suda-Csrf-Token"] = csrfToken;
-    }
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), timeout);
     try {
-      const response = await fetch(url, {
-        method: "GET",
+      const response = await this.client.post(url, {
+        userID: userId || ""
+      }, {
+        credentials: "include",
         headers: requestHeaders,
         signal: controller.signal
       });
@@ -371,10 +357,22 @@ var PermissionService = class _PermissionService {
           message: error.message
         }, import_common7.HttpStatus.INTERNAL_SERVER_ERROR);
       }
-      const data = await response.json();
+      let data;
+      let responseText = "";
+      try {
+        responseText = await response.text();
+        data = JSON.parse(responseText);
+      } catch (jsonError) {
+        const error = new Error(`Permission API returned invalid JSON: ${responseText}`);
+        throw new PermissionDeniedException({
+          cause: error,
+          type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
+          message: error.message
+        }, import_common7.HttpStatus.INTERNAL_SERVER_ERROR);
+      }
       return {
         userId,
-        roles: data.role_list || [],
+        roles: data.data?.roleList || [],
         // TODO: 基于权限点位设置能力
         // permissions: data.permissions || [],
         fetchedAt: /* @__PURE__ */ new Date()
@@ -418,18 +416,14 @@ var PermissionService = class _PermissionService {
   * 检查角色要求
   * 使用 CASL Ability 统一鉴权方式
   * @param requirement 角色要求
-  * @param userId 用户ID,匿名用户时为空
-  * @returns 用户权限数据
-  * @throws PermissionDeniedException 当角色不满足时
+  * @param laneId 环境ID
+  * @returns 用户权限检查结果，包含结果和详细信息
+  * @throws PermissionDeniedException 当权限数据获取失败时
   */
-  async checkRoles(requirement, userContext) {
-    const userId = userContext?.userId || ANONYMOUS_USER_ID;
+  async checkRoles(requirement, laneId) {
+    const { userId = "" } = this.requestContextService.getContext() || {};
     const permissionData = await this.getUserPermissions({
-      baseUrl: userContext?.baseUrl || "",
-      userId,
-      appId: userContext?.appId || "",
-      cookies: userContext?.cookies || {},
-      csrfToken: userContext?.csrfToken || ""
+      laneId
     });
     if (!permissionData) {
       throw new PermissionDeniedException({
@@ -439,31 +433,43 @@ var PermissionService = class _PermissionService {
       }, import_common7.HttpStatus.BAD_REQUEST);
     }
     const ability = this.abilityFactory.createForUser(permissionData);
-    const { roles, and } = requirement;
-    const checkResults = roles.map((role) => ability.can(role, ROLE_SUBJECT));
-    const hasRole = and ? checkResults.every((result) => result) : checkResults.some((result) => result);
+    const { roles } = requirement;
+    if (!roles || roles.length === 0) {
+      return {
+        result: true
+      };
+    }
+    const hasRole = roles.some((role) => ability.can(role, ROLE_SUBJECT));
     if (!hasRole) {
       const userRoles = permissionData.roles;
-      this.logger.warn(`\u89D2\u8272\u68C0\u67E5\u5931\u8D25: \u7528\u6237 ${userId}, \u7528\u6237\u89D2\u8272 [${userRoles.join(", ")}], \u9700\u8981 [${roles.join(", ")}]`);
-      throw PermissionDeniedException.roleRequired(roles, and);
+      return {
+        result: false,
+        details: `\u7528\u6237 ${userId}, \u7528\u6237\u89D2\u8272 [${userRoles.join(", ")}], \u9700\u8981 [${roles.join(", ")}]`
+      };
     }
-    return permissionData;
+    return {
+      result: true
+    };
   }
 };
 PermissionService = _ts_decorate4([
   (0, import_common7.Injectable)(),
   Public(),
   _ts_param(0, (0, import_common7.Inject)(PERMISSION_API_CONFIG_TOKEN)),
+  _ts_param(2, (0, import_common7.Inject)(import_nestjs_common.PLATFORM_HTTP_CLIENT)),
   _ts_metadata2("design:type", Function),
   _ts_metadata2("design:paramtypes", [
     typeof PermissionApiConfig === "undefined" ? Object : PermissionApiConfig,
-    typeof AbilityFactory === "undefined" ? Object : AbilityFactory
+    typeof AbilityFactory === "undefined" ? Object : AbilityFactory,
+    typeof import_nestjs_common.PlatformHttpClient === "undefined" ? Object : import_nestjs_common.PlatformHttpClient,
+    typeof import_nestjs_common2.RequestContextService === "undefined" ? Object : import_nestjs_common2.RequestContextService
   ])
 ], PermissionService);
 
 // src/guards/authzpaas.guard.ts
 var import_common8 = require("@nestjs/common");
 var import_core3 = require("@nestjs/core");
+var import_nestjs_common3 = require("@lark-apaas/nestjs-common");
 function _ts_decorate5(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
@@ -475,42 +481,101 @@ function _ts_metadata3(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 }
 __name(_ts_metadata3, "_ts_metadata");
-var AuthZPaasGuard = class {
+function _ts_param2(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+}
+__name(_ts_param2, "_ts_param");
+var AuthZPaasGuard = class _AuthZPaasGuard {
   static {
     __name(this, "AuthZPaasGuard");
   }
   reflector;
   permissionService;
-  constructor(reflector, permissionService) {
+  obs;
+  constructor(reflector, permissionService, obs) {
     this.reflector = reflector;
     this.permissionService = permissionService;
+    this.obs = obs;
+  }
+  logger = new import_common8.Logger(_AuthZPaasGuard.name);
+  /**
+  * 验证角色要求是否有效
+  * @param requirements 角色要求
+  * @returns 是否有效
+  */
+  isValidRoleRequirement(requirements) {
+    return Boolean(requirements && requirements.roles && requirements.roles.length > 0);
   }
   async canActivate(context) {
     const http = context.switchToHttp();
     const request = http.getRequest();
+    const laneId = request.headers["x-tt-env"];
+    const baseUrl = `${request.protocol}://${request.get("host")}`;
     const userContext = request.userContext;
+    userContext.baseUrl = baseUrl;
     const checkRoleRequirement = this.reflector.getAllAndOverride(ROLES_KEY, [
       context.getHandler(),
       context.getClass()
     ]);
-    if (checkRoleRequirement) {
-      await this.checkRoleRequirement(checkRoleRequirement, userContext);
+    if (this.isValidRoleRequirement(checkRoleRequirement)) {
+      const spanName = checkRoleRequirement.roles.join(" or ");
+      return this.obs.trace(spanName, async (span) => {
+        span.setAttributes({
+          module: "permission"
+        });
+        const startTime = Date.now();
+        try {
+          const checkResult = await this.permissionService.checkRoles(checkRoleRequirement, laneId);
+          const endTime = Date.now();
+          if (!checkResult.result) {
+            this.logger.warn(JSON.stringify({
+              role: spanName,
+              duration_ms: endTime - startTime,
+              result: checkResult.result ? "has_auth" : "no_auth",
+              result_detail: checkResult.details
+            }), {
+              source_type: "platform",
+              paas_attributes_module: "permission"
+            });
+          } else {
+            this.logger.log(JSON.stringify({
+              role: spanName,
+              duration_ms: endTime - startTime,
+              result: checkResult.result ? "has_auth" : "no_auth"
+            }), {
+              source_type: "platform",
+              paas_attributes_module: "permission"
+            });
+          }
+          return checkResult.result;
+        } catch (error) {
+          const endTime = Date.now();
+          this.logger.error(JSON.stringify({
+            role: spanName,
+            duration_ms: endTime - startTime,
+            result: "",
+            error_message: error.message
+          }), {
+            source_type: "platform",
+            paas_attributes_module: "permission"
+          });
+          throw error;
+        }
+      });
     }
     return true;
   }
-  /**
-  * 检查角色要求
-  */
-  async checkRoleRequirement(requirement, userContext) {
-    return this.permissionService.checkRoles(requirement, userContext);
-  }
 };
 AuthZPaasGuard = _ts_decorate5([
   (0, import_common8.Injectable)(),
+  _ts_param2(2, (0, import_common8.Inject)(import_nestjs_common3.OBSERVABLE_SERVICE)),
   _ts_metadata3("design:type", Function),
   _ts_metadata3("design:paramtypes", [
     typeof import_core3.Reflector === "undefined" ? Object : import_core3.Reflector,
-    typeof PermissionService === "undefined" ? Object : PermissionService
+    typeof PermissionService === "undefined" ? Object : PermissionService,
+    typeof import_nestjs_common3.ObservableService === "undefined" ? Object : import_nestjs_common3.ObservableService
   ])
 ], AuthZPaasGuard);
 
@@ -641,19 +706,17 @@ AuthZPaasModule = _ts_decorate6([
 
 // src/decorators/can-role.decorator.ts
 var import_common10 = require("@nestjs/common");
-var CanRole = /* @__PURE__ */ __name((role, and = false) => {
+var CanRole = /* @__PURE__ */ __name((role) => {
   let requirement;
   if (!Array.isArray(role) && typeof role === "string") {
     requirement = {
       roles: [
         role
-      ],
-      and
+      ]
     };
-  } else if (Array.isArray(role) && role.some((role2) => typeof role2 === "string")) {
+  } else if (Array.isArray(role) && role.every((role2) => typeof role2 === "string")) {
     requirement = {
-      roles: role,
-      and
+      roles: role
     };
   } else {
     throw new Error("Invalid CanRole parameter: " + JSON.stringify(role));
@@ -665,18 +728,13 @@ var CanRole = /* @__PURE__ */ __name((role, and = false) => {
   ANONYMOUS_USER_ID,
   AUTHZPAAS_MODULE_OPTIONS,
   AbilityFactory,
+  AuthZPaasGuard,
   AuthZPaasModule,
-  CACHE_CONFIG_TOKEN,
   CanRole,
-  DEFAULT_LOGIN_PATH,
-  ENABLE_MOCK_ROLE_KEY,
-  ENVIRONMENT_KEY,
-  MOCK_ROLES_COOKIE_KEY,
-  NEED_LOGIN_KEY,
-  PERMISSIONS_KEY,
   PERMISSION_API_CONFIG_TOKEN,
   PermissionDeniedException,
   PermissionDeniedType,
+  PermissionService,
   ROLES_KEY,
   ROLE_SUBJECT
 });