@live-change/access-control-service 0.2.39 → 0.2.42

package/access.js

@@ -1,38 +1,318 @@
+const { parents, parentsSources } = require('./accessControlParents.js')
+const App = require('@live-change/framework')
+const app = App.app()
 
 module.exports = (definition) => {
 
-  const Access = definition.foreignModel('access-control', 'Access')
-  const PublicAccess = definition.foreignModel('access-control', 'PublicAccess')
+  const Access = definition.foreignModel('accessControl', 'Access')
+  const PublicAccess = definition.foreignModel('accessControl', 'PublicAccess')
 
-  function clientHasAnyAccess(client, { objectType, object }) {
-    /// TODO: access control
-    return true
+  const config = definition?.config?.access ?? {}
+
+  const {
+    hasAny = (roles, client, { objectType, object }) => roles.length > 0,
+    isAdmin = (roles, client, { objectType, object }) => roles.includes('administrator'),
+    canInvite = (roles, client, { objectType, object }) => roles.length > 0,
+    canRequest = (roles, client, { objectType, object }) => false
+  } = config
+
+  function testRoles(requiredRoles, clientRoles) {
+    for(const requiredRolesOption of requiredRoles) {
+      if(
+        (Array.isArray(requiredRolesOption) ? requiredRolesOption : [requiredRolesOption])
+          .every(role => clientRoles.includes(role))
+      ) return true
+    }
+    return false
+  }
+
+  async function clientHasAnyAccess(client, { objectType, object, objects }) {
+    return checkRoles(client, { objectType, object, objects }, hasAny)
+  }
+
+  function clientHasAdminAccess(client, { objectType, object, objects }) {
+    return checkRoles(client, { objectType, object, objects }, isAdmin)
+  }
+
+  function clientCanInvite(client, { objectType, object, objects }) {
+    return checkRoles(client, { objectType, object, objects }, canInvite, true)
+  }
+
+  function clientCanRequest(client, { objectType, object, objects }) {
+    return checkRoles(client, { objectType, object, objects }, canRequest)
+  }
+
+  function clientHasAccessRole(client, { objectType, object, objects }, role) {
+    return checkRoles(client, { objectType, object, objects }, (roles) => roles.includes(role) )
+  }
+
+  function clientHasAccessRoles(client, { objectType, object, objects }, roles) {
+    return checkRoles(client, { objectType, object, objects },
+      (clientRoles) => testRoles(requiredRoles, roles)
+    )
+  }
+
+  async function getUnitClientRoles(client, { objectType, object }, ignorePublic) {
+    const [ sessionOrUserType, sessionOrUser ] = client.user ? ['user_User', client.user] : ['session_Session']
+    const [
+      publicAccessData,
+      sessionAccess,
+      userAccess,
+    ] = await Promise.all([
+      ignorePublic ? null : PublicAccess.get(App.encodeIdentifier([ objectType, object ])),
+      Access.get(App.encodeIdentifier([ 'session_Session', client.session, objectType, object ])),
+      client.user
+        ? Access.get(App.encodeIdentifier([ 'user_User', client.user, objectType, object ]))
+        : Promise.resolve(null)
+    ])
+    let roles = []
+    if(publicAccessData) {
+      roles.push(...publicAccessData.sessionRoles)
+      if(client.user) roles.push(...publicAccessData.userRoles)
+    }
+    if(sessionAccess) roles.push(...sessionAccess.roles)
+    if(userAccess) roles.push(...userAccess.roles)
+    return Array.from(new Set(roles))
+  }
+
+  async function getClientObjectRoles(client, { objectType, object }, ignorePublic) {
+    const unitRolesPromise = getUnitClientRoles(client, { objectType, object}, ignorePublic)
+    const accessParentsPromise = parents[objectType]
+      ? parents[objectType]({ objectType, object })
+      : Promise.resolve([])
+    const parentRolesPromise = accessParentsPromise.then(accessParents => Promise.all(
+        accessParents.map(
+          ({ objectType, object }) =>
+            getClientObjectRoles(client, { objectType, object }, ignorePublic)
+        )
+      ).then(rolesArrays => rolesArrays.flat()))
+    const [ unitRoles, parentRoles ] = await Promise.all([ unitRolesPromise, parentRolesPromise ])
+    return Array.from(new Set([ ...client.roles, ...unitRoles, ...parentRoles]))
   }
 
-  function clientHasAdminAccess(client, { objectType, object }) {
-    /// TODO: access control
-    return true
+  async function getClientObjectsRoles(client, objects, ignorePublic) {
+    const objectsRoles = await Promise.all(objects.map(obj => getClientObjectRoles(client, obj, ignorePublic)))
+    const firstObjectRoles = objectsRoles.shift()
+    let roles = firstObjectRoles
+    for(const objectRoles of objectsRoles) {
+      roles = roles.filter(role => objectRoles.includes(role))
+    }
+    return roles
   }
 
-  function clientCanInvite(client, { roles, objectType, object }) {
-    /// TODO: access control
-    return true
+  async function checkRoles(client, { objectType, object, objects }, callback, ignorePublic) {
+    const allObjects = ((objectType && object) ? [{ objectType, object }] : []).concat(objects || [])
+    const roles = await getClientObjectsRoles(client, allObjects, ignorePublic)
+    return await callback(roles, client, { objectType, object })
   }
 
-  function clientCanRequest(client, { roles, objectType, object }) {
-    /// TODO: access control
-    return true
+  /// QUERIES:
+
+  function dbAccessFunctions({
+      input, publicAccessTable, accessTable, updateRoles, isLoaded,
+      client, parentsSourcesMap, output
+    }) {
+    async function treeNode(objectType, object) {
+      const node = {
+        objectType, object,
+        data: null,
+        parents: [],
+        publicSessionRoles: [],
+        publicUserRoles: [],
+        sessionRoles: [],
+        userRoles: []
+      }
+      let objectObserver, publicAccessObserver, sessionAccessObserver, userAccessObserver
+
+      const publicAccessObject = publicAccessTable.object(`${JSON.stringify(objectType)}:${JSON.stringify(object)}`)
+      publicAccessObserver = publicAccessObject.onChange((accessData, oldAccessData) => {
+        node.publicSessionRoles = accessData?.sessionRoles ?? []
+        node.publicUserRoles = (client.user && accessData?.userRoles) ?? []
+        if(isLoaded()) updateRoles()
+      })
+
+      const sessionAccessObject = accessTable.object(
+        `"session_Session":${JSON.stringify(client.session)}:${JSON.stringify(objectType)}:${JSON.stringify(object)}`
+      )
+      sessionAccessObserver = sessionAccessObject && sessionAccessObject.onChange((accessData, oldAccessData) => {
+        node.sessionRoles = accessData?.roles ?? []
+        if(isLoaded()) updateRoles()
+      })
+
+      const userAccessObject = client.user && accessTable.object(
+        `"user_User":${JSON.stringify(client.user)}:${JSON.stringify(objectType)}:${JSON.stringify(object)}`
+      )
+      userAccessObserver = userAccessObject && userAccessObject.onChange((accessData, oldAccessData) => {
+        node.userRoles = accessData?.roles ?? []
+        if(isLoaded()) updateRoles()
+      })
+
+      async function disposeParents() {
+        const oldParents = node.parents
+        return Promise.all(oldParents.map(parent => parent.dispose()))
+      }
+      const parentsSources = parentsSourcesMap[objectType]
+      if(parentsSources) {
+        const objectTable = input.table(objectType)
+        const objectTableObject = objectTable.object(object)
+        objectObserver = objectTableObject.onChange(async (objectData, oldObjectData) => {
+          await disposeParents()
+          node.parents = objectData ? await Promise.all(parentsSources.map(parentSource => {
+            const parentType = parentSource.type || objectData[parentSource.property + 'Type']
+            const parent = objectData[parentSource.property]
+            return treeNode(parentType, parent)
+          })) : []
+        })
+      }
+      node.dispose = async function() {
+        const disposePromises = []
+        if(objectObserver) disposePromises.push(objectObserver.then(obs => obs.dispose()))
+        if(publicAccessObserver) disposePromises.push(publicAccessObserver.then(obs => obs.dispose()))
+        if(sessionAccessObserver) disposePromises.push(sessionAccessObserver.then(obs => obs.dispose()))
+        if(userAccessObserver) disposePromises.push(userAccessObserver.then(obs => obs.dispose()))
+        disposePromises.push(disposeParents())
+        return Promise.all(disposePromises)
+      }
+      await Promise.all([ objectObserver, publicAccessObserver, sessionAccessObserver, userAccessObserver ])
+      return node
+    }
+    function computeNodeRoles(node) {
+      const parentsRoles = node.parents.map(parent => computeNodeRoles(parent)).flat()
+      return Array.from(new Set([
+        ...parentsRoles,
+        ...node.publicUserRoles,
+        ...node.publicSessionRoles,
+        ...node.userRoles,
+        ...node.sessionRoles
+      ]))
+    }
+    return { treeNode, computeNodeRoles }
+  }
+
+  function accessPath(client, objects) {
+    return ['database', 'queryObject', app.databaseName, `(${
+      async (input, output, {
+        objects, parentsSourcesMap, client,
+        accessTableName, publicAccessTableName, dbAccessFunctions
+      }) => {
+        const accessTable = input.table(accessTableName)
+        const publicAccessTable = input.table(publicAccessTableName)
+        let loaded = false
+
+        const { treeNode, computeNodeRoles } =
+          eval(dbAccessFunctions)({
+            input, publicAccessTable, accessTable, updateRoles, isLoaded: () => loaded,
+            client, parentsSourcesMap, output
+          })
+
+        let rolesTreesRoots = objects.map(({ object, objectType }) => treeNode(objectType, object, client))
+
+        const outputObjectId = `${JSON.stringify(client.session)}:${JSON.stringify(client.user)}:` +
+                               objects.map( obj => `${JSON.stringify(objectType)}:${JSON.stringify(object)}`)
+                                 .join(':')
+        let oldOutputObject = null
+        async function updateRoles() {
+          const roots = await Promise.all(rolesTreesRoots)
+          const accesses = roots.map(root => computeNodeRoles(root))
+          const firstAccess = accesses.shift()
+          let roles = firstAccess.roles
+          for(const access of accesses) {
+            roles = roles.filter(role => access.roles.includes(role))
+          }
+          const accessControlRoles = computeNodeRoles()
+          const outputObject = {
+            id: outputObjectId,
+            roles: Array.from(new Set([...accessControlRoles, ...client.roles]))
+          }
+          output.change(outputObject, oldOutputObject)
+          oldOutputObject = outputObject
+        }
+        await Promise.all(rolesTreesRoots)
+        loaded = true
+        await updateRoles()
+      }
+    })`, {
+      objectType, object, parentsSourcesMap: parentsSources, client,
+      accessTableName: Access.tableName, publicAccessTableName: PublicAccess.tableName,
+      dbAccessFunctions: `(${dbAccessFunctions})`
+    }]
+  }
+
+  function accessesPath(client, objects) {
+    return ['database', 'query', app.databaseName, `(${
+      async (input, output, {
+        objects, parentsSourcesMap, client,
+        accessTableName, publicAccessTableName, dbAccessFunctions
+      }) => {
+        const accessTable = input.table(accessTableName)
+        const publicAccessTable = input.table(publicAccessTableName)
+        let loaded = false
+
+        const { treeNode, computeNodeRoles } =
+          eval(dbAccessFunctions)({
+            input, publicAccessTable, accessTable, updateRoles, isLoaded: () => loaded,
+            client, parentsSourcesMap, output,
+          })
+
+        let rolesTreesRoots = objects.map(({ object, objectType }) => treeNode(objectType, object, client))
+        const accesses = []
+        async function updateRoles() {
+          const roots = await Promise.all(rolesTreesRoots)
+          for(let root of roots) {
+            const outputObjectId = `${JSON.stringify(client.session)}:${JSON.stringify(client.user)}` +
+              `:${JSON.stringify(root.objectType)}:${JSON.stringify(root.object)}`
+            const nodeRoles = computeNodeRoles(root)
+            const outputObject = {
+              id: outputObjectId,
+              roles: Array.from(new Set([...nodeRoles, ...client.roles]))
+            }
+            const existingAccessIndex = accesses.findIndex(acc => acc.id == outputObjectId)
+            if(existingAccessIndex != -1) {
+              if(JSON.stringify(outputObject) != JSON.stringify(accesses[existingAccessIndex])) {
+                output.change(outputObject, accesses[existingAccessIndex])
+                accesses[existingAccessIndex] = outputObject
+              } /// else ignore
+            } else {
+              output.change(outputObject, null)
+              accesses.push(outputObject)
+            }
+          }
+        }
+        await Promise.all(rolesTreesRoots)
+        loaded = true
+        await updateRoles()
+      }
+    })`, {
+      objects, parentsSourcesMap: parentsSources, client,
+      accessTableName: Access.tableName, publicAccessTableName: PublicAccess.tableName,
+      dbAccessFunctions: `(${dbAccessFunctions})`
+    }]
+  }
+
+  function accessLimitedGet(client, objects, requiredRoles, path) {
+    const roles = getClientObjectsRoles(client, objects)
+    for(const requiredRole of requiredRoles) {
+
+    }
   }
 
-  function clientHasAccessRole(client, { objectType, object }, role) {
-    return true
+  function accessLimitedObservable(client, objects, path) {
+    if(path[0] != 'database') throw new Error("non database path "+ JSON.stringify(path))
+    const isObject = path[1] == 'queryObject' || path[1] == ''
   }
 
   return {
+    testRoles,
     clientHasAnyAccess, clientHasAdminAccess,
     clientCanInvite,
     clientCanRequest,
-    clientHasAccessRole
+    clientHasAccessRole,
+    clientHasAccessRoles,
+    getClientObjectRoles,
+    getClientObjectsRoles,
+    checkRoles,
+    accessPath,
+    accessesPath
   }
 
 }

package/accessControl.js

@@ -0,0 +1,110 @@
+const definition = require('./definition.js')
+const App = require("@live-change/framework")
+const { ObservableValue, ObservableList, ObservableProxy } = require("@live-change/dao")
+const app = App.app()
+const access = require('./access.js')(definition)
+
+definition.processor({
+  priority: -1,
+  process(service, app) {
+
+    for(const actionName in service.actions) {
+      const action = service.actions[actionName]
+      if(!action.accessControl) continue
+      const config = action.accessControl
+
+      console.log("ACCESS CONTROL", service.name, "ACTION", action.name)
+
+      const oldExec = action.execute
+      action.execute = async (...args) => {
+        const [ properties, context, emit ] = args
+        const { client } = context
+
+        const objects = [].concat(
+          config.objects ? config.objects(properties) : [],
+          (objectType && object) ? [{ objectType, object }] : []
+        )
+        if(objects.length == 0) {
+          throw new Error('no objects for access control to work')
+        }
+        const accessible = access.clientHasAccessRoles(client, { objects }, config.roles)
+        if(!accessible) throw 'notAuthorized'
+
+        return oldExec.apply(action, args)
+      }
+    }
+
+    for(const viewName in service.views) {
+      const view = service.views[viewName]
+      if(!view.accessControl) continue
+      const config = view.accessControl
+
+      console.log("ACCESS CONTROL", service.name, "VIEW", view.name)
+
+      const oldGet = view.get
+      const oldObservable = view.observable
+      view.get = async (...args) => {
+        const [ properties, context ] = args
+        const { client } = context
+        const { objectType, object } = properties
+        const objects = [].concat(
+          config.objects ? config.objects(properties) : [],
+          (objectType && object) ? [{ objectType, object }] : []
+        )
+        if(objects.length == 0) {
+          throw new Error('no objects for access control to work')
+        }
+        const accessible = access.clientHasAccessRoles(client, { objects }, config.roles)
+        if(!accessible) throw 'notAuthorized'
+        return oldGet.apply(view, args)
+      }
+      view.observable = (...args) => {
+        const [ properties, context ] = args
+        const { client } = context
+        const { objectType, object } = properties
+        const objects = [].concat(
+          config.objects ? config.objects(properties) : [],
+          (objectType && object) ? [{ objectType, object }] : []
+        )
+        if(objects.length == 0) {
+          throw new Error('no objects for access control to work')
+        }
+
+        const rolesPath = access.accessPath(client, objects)
+
+        const errorObservable = new ObservableValue()
+        errorObservable.handleError('notAuthorized')
+
+        const observableProxy = new ObservableProxy(null)
+
+        let valueObservable
+
+        let accessible
+        const rolesObservable = app.dao.observable(rolesPath)
+        const rolesObserver = (signal, value) => {
+          const accessObject = rolesObservable.getValue()
+          const newAccessible = access.testRoles(config.roles, accessObject.roles)
+          if(newAccessible !== accessible) {
+            if(newAccessible === true /*&& !valueObservable*/) {
+              valueObservable = oldObservable.apply(view, args)
+            }
+            observableProxy.setTarget(accessible ? valueObservable : errorObservable)
+          }
+        }
+        rolesObservable.observe(rolesObserver)
+
+        const oldDispose = observableProxy.dispose
+        const oldRespawn = observableProxy.respawn
+        observableProxy.dispose = () => {
+          rolesObservable.unobserve(rolesObserver)
+          oldDispose.apply(observableProxy)
+        }
+        observableProxy.respawn = () => {
+          rolesObservable.observe(rolesObserver)
+          oldRespawn.apply(observableProxy)
+        }
+      }
+    }
+
+  }
+})

package/accessControlParents.js

@@ -0,0 +1,22 @@
+const definition = require("./definition.js")
+
+const parents = { }
+const parentsSources = { }
+
+definition.processor(function(service, app) {
+
+  for(let modelName in service.models) {
+    const model = service.models[modelName]
+    if(!model.accessControlParents) continue
+    parents[service.name + '_' + modelName] = model.accessControlParents
+  }
+
+  for(let modelName in service.models) {
+    const model = service.models[modelName]
+    if(!model.accessControlParentsSource) continue
+    parentsSources[service.name + '_' + modelName] = model.accessControlParentsSource
+  }
+
+})
+
+module.exports = { parents, parentsSources }

package/index.js

@@ -5,5 +5,7 @@ const definition = require('./definition.js')
 require('./model.js')
 require('./invite.js')
 require('./request.js')
+require('./view.js')
+require('./accessControl.js')
 
 module.exports = definition

package/invite.js

@@ -221,6 +221,14 @@ for(const contactType of config.contactTypes) {
     access: (params, { client, context, visibilityTest }) =>
         visibilityTest || access.clientCanInvite(client, params),
     async execute(params, { client, service }, emit) {
+      const { roles } = params
+      const myRoles = await access.getClientObjectRoles(client, { objectType, object }, true)
+      if(!myRoles.includes('administrator')) {
+        for(const requestedRole of roles) {
+          if(!myRoles.includes(requestedRole)) throw 'notAuthorized'
+        }
+      }
+
       const [ fromType, from ] = client.user ? ['user_User', client.user] : ['session_Session', client.session]
       const { [contactTypeName]: contact } = params
       const { objectType, object } = params

package/model.js

@@ -39,7 +39,7 @@ const PublicAccess = definition.model({
     to: 'object',
     readAccess: (params, { client, context, visibilityTest }) =>
         visibilityTest || access.clientHasAnyAccess(client, params),
-    writeAccess: (params, { client, context, visibilityTest }) =>
+    writeAccess: async (params, { client, context, visibilityTest }) =>
         visibilityTest || access.clientHasAdminAccess(client, params)
   },
   properties: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@live-change/access-control-service",
-  "version": "0.2.39",
+  "version": "0.2.42",
   "description": "",
   "main": "index.js",
   "scripts": {
@@ -21,7 +21,7 @@
     "url": "https://www.viamage.com/"
   },
   "dependencies": {
-    "@live-change/framework": "0.6.5"
+    "@live-change/framework": "0.6.9"
   },
-  "gitHead": "09bd3c0c5e1991360c8f13c30b29ccca8f3158ea"
+  "gitHead": "ad7e746f87b5c7be7d040885ca228aab2ec2f23e"
 }

package/request.js

@@ -43,6 +43,12 @@ definition.action({
   access: (params, { client, context, visibilityTest }) =>
       visibilityTest || access.clientCanInvite(client, params),
   async execute({ objectType, object, sessionOrUserType, sessionOrUser, roles }, { client, service }, emit) {
+    const myRoles = await access.getClientObjectRoles(client, { objectType, object }, true)
+    if(!myRoles.includes('administrator')) {
+      for(const requestedRole of roles) {
+        if(!myRoles.includes(requestedRole)) throw 'notAuthorized'
+      }
+    }
     const request = App.encodeIdentifier([ sessionOrUserType, sessionOrUser, objectType, object ])
     const requestData = await AccessRequest.get(request)
     if(!requestData) throw 'not_found'

package/view.js

@@ -0,0 +1,72 @@
+const definition = require("./definition.js")
+const App = require("@live-change/framework")
+const app = App.app()
+
+const access = require('./access.js')(definition)
+
+definition.view({
+  name: "myAccessTo",
+  properties: {
+    objectType: {
+      type: String
+    },
+    object: {
+      type: String
+    },
+    objects: {
+      type: Array,
+      of: {
+        type: Object,
+        properties: {
+          objectType: {
+            type: String
+          },
+          object: {
+            type: String
+          },
+        }
+      }
+    }
+  },
+  returns: {
+    type: Array,
+    of: {
+      type: String
+    }
+  },
+  async daoPath({ objectType, object, objects }, { client, service }, method) {
+    const allObjects = ((objectType && object) ? [{ objectType, object }] : []).concat(objects || [])
+    if(allObjects.length == 0) throw 'empty_objects_list'
+    return access.accessPath(client, allObjects)
+  }
+})
+
+definition.view({
+  name: "myAccessesTo",
+  properties: {
+    objects: {
+      type: Array,
+      of: {
+        type: Object,
+        properties: {
+          objectType: {
+            type: String
+          },
+          object: {
+            type: String
+          }
+        }
+      }
+    }
+  },
+  returns: {
+    type: Array,
+    of: {
+      type: String
+    }
+  },
+  async daoPath({ objects }, { client, service }, method) {
+    if(objects.length == 0) throw 'empty_objects_list'
+    return access.accessesPath(client, objects)
+  }
+})