npm - @live-change/access-control-service - Versions diffs - 0.2.37 → 0.2.40 - Mend

@live-change/access-control-service 0.2.37 → 0.2.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/access.js CHANGED Viewed

@@ -1,38 +1,297 @@
+const { parents, parentsSourcesMap } = require('./accessControlParents.js')
+const App = require('@live-change/framework')
+const app = App.app()
 module.exports = (definition) => {
-  const Access = definition.foreignModel('access-control', 'Access')
-  const PublicAccess = definition.foreignModel('access-control', 'PublicAccess')
+  const Access = definition.foreignModel('accessControl', 'Access')
+  const PublicAccess = definition.foreignModel('accessControl', 'PublicAccess')
-  function clientHasAnyAccess(client, { objectType, object }) {
-    /// TODO: access control
-    return true
+  const config = definition?.config?.access ?? {}
+  const {
+    hasAny = (roles, client, { objectType, object }) => roles.length > 0,
+    isAdmin = (roles, client, { objectType, object }) => roles.includes('administrator'),
+    canInvite = (roles, client, { objectType, object }) => roles.length > 0,
+    canRequest = (roles, client, { objectType, object }) => false
+  } = config
+  async function clientHasAnyAccess(client, { objectType, object, objects }) {
+    return checkRoles(client, { objectType, object, objects }, hasAny)
   }
-  function clientHasAdminAccess(client, { objectType, object }) {
-    /// TODO: access control
-    return true
+  function clientHasAdminAccess(client, { objectType, object, objects }) {
+    return checkRoles(client, { objectType, object, objects }, isAdmin)
   }
-  function clientCanInvite(client, { roles, objectType, object }) {
-    /// TODO: access control
-    return true
+  function clientCanInvite(client, { objectType, object, objects }) {
+    return checkRoles(client, { objectType, object, objects }, canInvite, true)
   }
-  function clientCanRequest(client, { roles, objectType, object }) {
-    /// TODO: access control
-    return true
+  function clientCanRequest(client, { objectType, object, objects }) {
+    return checkRoles(client, { objectType, object, objects }, canRequest)
+  }
+  function clientHasAccessRole(client, { objectType, object, objects }, role) {
+    return checkRoles(client, { objectType, object, objects }, (roles) => roles.includes(role) )
+  }
+  function clientHasAccessRoles(client, { objectType, object, objects }, roles) {
+    return checkRoles(client, { objectType, object, objects },
+      (clientRoles) => roles.every(role => clientRoles.includes(role))
+    )
+  }
+  async function getUnitClientRoles(client, { objectType, object }, ignorePublic) {
+    const [ sessionOrUserType, sessionOrUser ] = client.user ? ['user_User', client.user] : ['session_Session']
+    const [
+      publicAccessData,
+      sessionAccess,
+      userAccess,
+    ] = await Promise.all([
+      ignorePublic ? null : PublicAccess.get(App.encodeIdentifier([ objectType, object ])),
+      Access.get(App.encodeIdentifier([ 'session_Session', client.session, objectType, object ])),
+      client.user
+        ? Access.get(App.encodeIdentifier([ 'user_User', client.user, objectType, object ]))
+        : Promise.resolve(null)
+    ])
+    let roles = []
+    if(publicAccessData) {
+      roles.push(...publicAccessData.sessionRoles)
+      if(client.user) roles.push(...publicAccessData.userRoles)
+    }
+    if(sessionAccess) roles.push(...sessionAccess.roles)
+    if(userAccess) roles.push(...userAccess.roles)
+    return Array.from(new Set(roles))
+  }
+  async function getClientObjectRoles(client, { objectType, object }, ignorePublic) {
+    const unitRolesPromise = getUnitClientRoles(client, { objectType, object}, ignorePublic)
+    const accessParentsPromise = parents[objectType]
+      ? parents[objectType]({ objectType, object })
+      : Promise.resolve([])
+    const parentRolesPromise = accessParentsPromise.then(accessParents => Promise.all(
+        accessParents.map(
+          ({ objectType, object }) =>
+            getClientObjectRoles(client, { objectType, object }, ignorePublic)
+        )
+      ).then(rolesArrays => rolesArrays.flat()))
+    const [ unitRoles, parentRoles ] = await Promise.all([ unitRolesPromise, parentRolesPromise ])
+    return Array.from(new Set([ ...client.roles, ...unitRoles, ...parentRoles]))
+  }
+  async function getClientObjectsRoles(client, objects, ignorePublic) {
+    const objectsRoles = await Promise.all(objects.map(obj => getClientObjectRoles(client, obj, ignorePublic)))
+    const firstObjectRoles = objectsRoles.shift()
+    let roles = firstObjectRoles
+    for(const objectRoles of objectsRoles) {
+      roles = roles.filter(role => objectRoles.includes(role))
+    }
+    return roles
+  }
+  async function checkRoles(client, { objectType, object, objects }, callback, ignorePublic) {
+    const allObjects = ((objectType && object) ? [{ objectType, object }] : []).concat(objects || [])
+    const roles = await getClientObjectsRoles(client, allObjects, ignorePublic)
+    return await callback(roles, client, { objectType, object })
+  }
+  /// QUERIES:
+  function dbAccessFunctions({ input, publicAccessTable, accessTable, updateRoles, isLoaded }) {
+    async function treeNode(objectType, object) {
+      const node = {
+        objectType, object,
+        data: null,
+        parents: [],
+        publicSessionRoles: [],
+        publicUserRoles: [],
+        sessionRoles: [],
+        userRoles: []
+      }
+      let objectObserver, publicAccessObserver, sessionAccessObserver, userAccessObserver
+      const publicAccessObject = publicAccessTable.object(`${JSON.stringify(objectType)}:${JSON.stringify(object)}`)
+      publicAccessObserver = publicAccessObject.onChange((accessData, oldAccessData) => {
+        node.publicSessionRoles = accessData?.sessionRoles ?? []
+        node.publicUserRoles = (client.user && accessData?.userRoles) ?? []
+        if(isLoaded()) updateRoles()
+      })
+      const sessionAccessObject = accessTable.object(
+        `session_Session:${JSON.stringify(client.session)}:${JSON.stringify(objectType)}:${JSON.stringify(object)}`
+      )
+      sessionAccessObserver = sessionAccessObject && sessionAccessObject.onChange((accessData, oldAccessData) => {
+        node.sessionRoles = accessData?.roles ?? []
+        if(isLoaded()) updateRoles()
+      })
+      const userAccessObject = client.user && accessTable.object(
+        `user_User:${JSON.stringify(client.user)}:${JSON.stringify(objectType)}:${JSON.stringify(object)}`
+      )
+      userAccessObserver = userAccessObject && userAccessObject.onChange((accessData, oldAccessData) => {
+        node.sessionRoles = accessData?.roles ?? []
+        if(isLoaded()) updateRoles()
+      })
+      async function disposeParents() {
+        const oldParents = node.parents
+        return Promise.all(oldParents.map(parent => parent.dispose()))
+      }
+      const parentsSources = parentsSourcesMap[objectType]
+      if(parentsSources) {
+        const objectTable = input.table(objectType)
+        const objectTableObject = objectTable.object(object)
+        objectObserver = objectTableObject.onChange(async (objectData, oldObjectData) => {
+          await disposeParents()
+          node.parents = objectData ? await Promise.all(parentsSources.map(parentSource => {
+            const parentType = parentSource.type || objectData[parentSource.property + 'Type']
+            const parent = objectData[parentSource.property]
+            return treeNode(parentType, parent)
+          })) : []
+        })
+      }
+      node.dispose = async function() {
+        const disposePromises = []
+        if(objectObserver) disposePromises.push(objectObserver.then(obs => obs.dispose()))
+        if(publicAccessObserver) disposePromises.push(publicAccessObserver.then(obs => obs.dispose()))
+        if(sessionAccessObserver) disposePromises.push(sessionAccessObserver.then(obs => obs.dispose()))
+        if(userAccessObserver) disposePromises.push(userAccessObserver.then(obs => obs.dispose()))
+        disposePromises.push(disposeParents())
+        return Promise.all(disposePromises)
+      }
+      await Promise.all([ objectObserver, publicAccessObserver, sessionAccessObserver, userAccessObserver ])
+      return node
+    }
+    function computeNodeRoles(node) {
+      const parentsRoles = node.parents.map(parent => computeNodeRoles(parent)).flat()
+      return Array.from(new Set([
+        ...parentsRoles,
+        ...node.publicUserRoles,
+        ...node.publicSessionRoles,
+        ...node.userRoles,
+        ...node.sessionRoles
+      ]))
+    }
+    return { treeNode, computeNodeRoles }
+  }
+  function accessPath(client, objects) {
+    return ['database', 'queryObject', app.databaseName, `(${
+      async (input, output, {
+        objects, parentsSourcesMap, client,
+        accessTableName, publicAccessTableName, dbAccessFunctions
+      }) => {
+        const accessTable = input.table(accessTableName)
+        const publicAccessTable = input.table(publicAccessTableName)
+        let loaded = false
+        const { treeNode, computeNodeRoles } =
+          eval(dbAccessFunctions)({ input, publicAccessTable, accessTable, updateRoles, isLoaded: () => loaded })
+        let rolesTreesRoots = objects.map(({ object, objectType }) => treeNode(objectType, object))
+        const outputObjectId = `${JSON.stringify(client.session)}:${JSON.stringify(client.user)}:` +
+                               objects.map( obj => `${JSON.stringify(objectType)}:${JSON.stringify(object)}`)
+                                 .join(':')
+        let oldOutputObject = null
+        async function updateRoles() {
+          const roots = await Promise.all(rolesTreesRoots)
+          const accesses = roots.map(root => computeNodeRoles(root))
+          const firstAccess = accesses.shift()
+          let roles = firstAccess.roles
+          for(const access of accesses) {
+            roles = roles.filter(role => access.roles.includes(role))
+          }
+          const accessControlRoles = computeNodeRoles()
+          const outputObject = {
+            id: outputObjectId,
+            roles: Array.from(new Set([...accessControlRoles, ...client.roles]))
+          }
+          output.change(outputObject, oldOutputObject)
+          oldOutputObject = outputObject
+        }
+        await Promise.all(rolesTreesRoots)
+        loaded = true
+        await updateRoles()
+      }
+    })`, {
+      objectType, object, parentsSourcesMap, client,
+      accessTableName: Access.tableName, publicAccessTableName: PublicAccess.tableName,
+      dbAccessFunctions: `(${dbAccessFunctions})`
+    }]
+  }
+  function accessesPath(client, objects) {
+    return ['database', 'query', app.databaseName, `(${
+      async (input, output, {
+        objects, parentsSourcesMap, client,
+        accessTableName, publicAccessTableName, dbAccessFunctions
+      }) => {
+        const accessTable = input.table(accessTableName)
+        const publicAccessTable = input.table(publicAccessTableName)
+        let loaded = false
+        const { treeNode, computeNodeRoles } =
+          eval(dbAccessFunctions)({ input, publicAccessTable, accessTable, updateRoles, isLoaded: () => loaded })
+        let rolesTreesRoots = objects.map(({ object, objectType }) => treeNode(objectType, object))
+        const accesses = []
+        async function updateRoles() {
+          const roots = await Promise.all(rolesTreesRoots)
+          for(let root of roots) {
+            const outputObjectId = `${JSON.stringify(client.session)}:${JSON.stringify(client.user)}` +
+              `:${JSON.stringify(root.objectType)}:${JSON.stringify(root.object)}`
+            const nodeRoles = computeNodeRoles(root)
+            const outputObject = {
+              id: outputObjectId,
+              roles: Array.from(new Set([...nodeRoles, ...client.roles]))
+            }
+            const existingAccessIndex = accesses.findIndex(acc => acc.id == outputObjectId)
+            if(existingAccessIndex != -1) {
+              if(JSON.stringify(outputObject) != JSON.stringify(accesses[existingAccessIndex])) {
+                output.change(outputObject, accesses[existingAccessIndex])
+                accesses[existingAccessIndex] = outputObject
+              } /// else ignore
+            } else {
+              output.change(outputObject, null)
+              accesses.push(outputObject)
+            }
+          }
+        }
+        await Promise.all(rolesTreesRoots)
+        loaded = true
+        await updateRoles()
+      }
+    })`, {
+      objects, parentsSourcesMap, client,
+      accessTableName: Access.tableName, publicAccessTableName: PublicAccess.tableName,
+    }]
+  }
+  function accessLimitedGet(client, objects, requiredRoles, path) {
+    const roles = getClientObjectsRoles(client, objects)
+    for(const requiredRole of requiredRoles) {
+    }
   }
-  function clientHasAccessRole(client, { objectType, object }, role) {
-    return true
+  function accessLimitedObservable(client, objects, path) {
+    if(path[0] != 'database') throw new Error("non database path "+ JSON.stringify(path))
+    const isObject = path[1] == 'queryObject' || path[1] == ''
   }
   return {
     clientHasAnyAccess, clientHasAdminAccess,
     clientCanInvite,
     clientCanRequest,
-    clientHasAccessRole
+    clientHasAccessRole,
+    clientHasAccessRoles,
+    getClientObjectRoles,
+    getClientObjectsRoles,
+    checkRoles,
+    accessPath,
+    accessesPath
   }
 }

package/accessControlParents.js ADDED Viewed

@@ -0,0 +1,22 @@
+const definition = require("./definition.js")
+const parents = { }
+const parentsSources = { }
+definition.processor(function(service, app) {
+  for(let modelName in service.models) {
+    const model = service.models[modelName]
+    if(!model.accessControlParents) continue
+    parents[service.name + '_' + modelName] = model.accessControlParents
+  }
+  for(let modelName in service.models) {
+    const model = service.models[modelName]
+    if(!model.accessControlParentsSource) continue
+    parentsSources[service.name + '_' + modelName] = model.accessControlParentsSource
+  }
+})
+module.exports = { parents, parentsSources }

package/index.js CHANGED Viewed

@@ -5,5 +5,6 @@ const definition = require('./definition.js')
 require('./model.js')
 require('./invite.js')
 require('./request.js')
+require('./view.js')
 module.exports = definition

package/invite.js CHANGED Viewed

@@ -221,6 +221,14 @@ for(const contactType of config.contactTypes) {
     access: (params, { client, context, visibilityTest }) =>
         visibilityTest || access.clientCanInvite(client, params),
     async execute(params, { client, service }, emit) {
+      const { roles } = params
+      const myRoles = await access.getClientObjectRoles(client, { objectType, object }, true)
+      if(!myRoles.includes('administrator')) {
+        for(const requestedRole of roles) {
+          if(!myRoles.includes(requestedRole)) throw 'notAuthorized'
+        }
+      }
       const [ fromType, from ] = client.user ? ['user_User', client.user] : ['session_Session', client.session]
       const { [contactTypeName]: contact } = params
       const { objectType, object } = params

package/limitedAccess.js ADDED Viewed

@@ -0,0 +1,107 @@
+const definition = require('./definition.js')
+const App = require("@live-change/framework")
+const { ObservableValue, ObservableList, ObservableProxy } = require("@live-change/dao")
+const app = App.app()
+const access = require('./access.js')(definition)
+definition.processor(function(service, app) {
+  for(const actionName in service.actions) {
+    const action = service.actions[actionName]
+    if(!action.limitedAccess) continue
+    const config = action.limitedAccess
+    console.log("LIMITED ACCESS", service.name, "ACTION", action.name)
+    const oldExec = action.execute
+    action.execute = async (...args) => {
+      const [ properties, context, emit ] = args
+      const { client } = context
+      const objects = [].concat(
+        config.objects ? config.objects(properties) : [],
+        (objectType && object) ? [{ objectType, object }] : []
+      )
+      if(objects.length == 0) {
+        throw new Error('no objects for access control to work')
+      }
+      const accessible = access.clientHasAccessRoles(client, { objects }, config.roles)
+      if(!accessible) throw 'notAuthorized'
+      return oldExec.apply(action, args)
+    }
+  }
+  for(const viewName in service.views) {
+    const view = service.view[viewName]
+    if(!view.limitedAccess) continue
+    const config = view.limitedAccess
+    console.log("LIMITED ACCESS", service.name, "VIEW", view.name)
+    const oldGet = view.get
+    const oldObservable = view.observable
+    view.get = async (...args) => {
+      const [ properties, context ] = args
+      const { client } = context
+      const { objectType, object } = properties
+      const objects = [].concat(
+        config.objects ? config.objects(properties) : [],
+        (objectType && object) ? [{ objectType, object }] : []
+      )
+      if(objects.length == 0) {
+        throw new Error('no objects for access control to work')
+      }
+      const accessible = access.clientHasAccessRoles(client, { objects }, config.roles)
+      if(!accessible) throw 'notAuthorized'
+      return oldGet.apply(view, args)
+    }
+    view.observable = (...args) => {
+      const [ properties, context ] = args
+      const { client } = context
+      const { objectType, object } = properties
+      const objects = [].concat(
+        config.objects ? config.objects(properties) : [],
+        (objectType && object) ? [{ objectType, object }] : []
+      )
+      if(objects.length == 0) {
+        throw new Error('no objects for access control to work')
+      }
+      const rolesPath = access.accessPath(client, objects)
+      const errorObservable = new ObservableValue()
+      errorObservable.handleError('notAuthorized')
+      const observableProxy = new ObservableProxy(null)
+      let valueObservable
+      let accessible
+      const rolesObservable = app.dao.observable(rolesPath)
+      const rolesObserver = (signal, value) => {
+        const accessObject = rolesObservable.getValue()
+        const newAccessible = config.roles.every(role => accessObject.roles.includes(role))
+        if(newAccessible !== accessible) {
+          if(newAccessible === true /*&& !valueObservable*/) {
+            valueObservable = oldObservable.apply(view, args)
+          }
+          observableProxy.setTarget(accessible ? valueObservable : errorObservable)
+        }
+      }
+      rolesObservable.observe(rolesObserver)
+      const oldDispose = observableProxy.dispose
+      const oldRespawn = observableProxy.respawn
+      observableProxy.dispose = () => {
+        rolesObservable.unobserve(rolesObserver)
+        oldDispose.apply(observableProxy)
+      }
+      observableProxy.respawn = () => {
+        rolesObservable.observe(rolesObserver)
+        oldRespawn.apply(observableProxy)
+      }
+    }
+  }
+})

package/model.js CHANGED Viewed

@@ -39,7 +39,7 @@ const PublicAccess = definition.model({
     to: 'object',
     readAccess: (params, { client, context, visibilityTest }) =>
         visibilityTest || access.clientHasAnyAccess(client, params),
-    writeAccess: (params, { client, context, visibilityTest }) =>
+    writeAccess: async (params, { client, context, visibilityTest }) =>
         visibilityTest || access.clientHasAdminAccess(client, params)
   },
   properties: {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@live-change/access-control-service",
-  "version": "0.2.37",
+  "version": "0.2.40",
   "description": "",
   "main": "index.js",
   "scripts": {
@@ -21,7 +21,7 @@
     "url": "https://www.viamage.com/"
   },
   "dependencies": {
-    "@live-change/framework": "0.6.5"
+    "@live-change/framework": "0.6.6"
   },
-  "gitHead": "f3bc615d20a0112c7cc76d55ba1cbefb53b84f01"
+  "gitHead": "4a920b328b0a7f3f25c67cdba3e574687971ee22"
 }

package/request.js CHANGED Viewed

@@ -43,6 +43,12 @@ definition.action({
   access: (params, { client, context, visibilityTest }) =>
       visibilityTest || access.clientCanInvite(client, params),
   async execute({ objectType, object, sessionOrUserType, sessionOrUser, roles }, { client, service }, emit) {
+    const myRoles = await access.getClientObjectRoles(client, { objectType, object }, true)
+    if(!myRoles.includes('administrator')) {
+      for(const requestedRole of roles) {
+        if(!myRoles.includes(requestedRole)) throw 'notAuthorized'
+      }
+    }
     const request = App.encodeIdentifier([ sessionOrUserType, sessionOrUser, objectType, object ])
     const requestData = await AccessRequest.get(request)
     if(!requestData) throw 'not_found'

package/view.js ADDED Viewed

@@ -0,0 +1,72 @@
+const definition = require("./definition.js")
+const App = require("@live-change/framework")
+const app = App.app()
+const access = require('./access.js')(definition)
+definition.view({
+  name: "myAccessTo",
+  properties: {
+    objectType: {
+      type: String
+    },
+    object: {
+      type: String
+    },
+    objects: {
+      type: Array,
+      of: {
+        type: Object,
+        properties: {
+          objectType: {
+            type: String
+          },
+          object: {
+            type: String
+          },
+        }
+      }
+    }
+  },
+  returns: {
+    type: Array,
+    of: {
+      type: String
+    }
+  },
+  async daoPath({ objectType, object, objects }, { client, service }, method) {
+    const allObjects = ((objectType && object) ? [{ objectType, object }] : []).concat(objects || [])
+    if(allObjects.length == 0) throw 'empty_objects_list'
+    return access.accessPath(client, allObjects)
+  }
+})
+definition.view({
+  name: "myAccessesTo",
+  properties: {
+    objects: {
+      type: Array,
+      of: {
+        type: Object,
+        properties: {
+          objectType: {
+            type: String
+          },
+          object: {
+            type: String
+          }
+        }
+      }
+    }
+  },
+  returns: {
+    type: Array,
+    of: {
+      type: String
+    }
+  },
+  async daoPath({ objects }, { client, service }, method) {
+    if(objects.length == 0) throw 'empty_objects_list'
+    return access.accessesPath(client, objects)
+  }
+})