@mondaydotcomorg/monday-authorization 3.2.3 → 3.2.4

package/src/authorization-service.ts

@@ -0,0 +1,365 @@
+import { performance } from 'perf_hooks';
+import snakeCase from 'lodash/snakeCase.js';
+import camelCase from 'lodash/camelCase.js';
+import mapKeys from 'lodash/mapKeys.js';
+import { MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
+import { Api } from '@mondaydotcomorg/trident-backend-api';
+import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
+import { getIgniteClient, IgniteClient } from '@mondaydotcomorg/ignite-sdk';
+import { Action, AuthorizationObject, AuthorizationParams, Resource } from './types/general';
+import { sendAuthorizationCheckResponseTimeMetric } from './prometheus-service';
+import {
+  ScopedAction,
+  ScopedActionPermit,
+  ScopedActionResponseObject,
+  ScopeOptions,
+} from './types/scoped-actions-contracts';
+import { AuthorizationInternalService, logger } from './authorization-internal-service';
+import { getAttributionsFromApi, getProfile, PlatformProfile } from './attributions-service';
+
+const GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS = 5 * 60;
+const PLATFORM_AUTHORIZE_PATH = '/internal_ms/authorization/authorize';
+const PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH = '/internal_ms/authorization/can_actions_in_scopes';
+
+const ALLOWED_SDK_PLATFORM_PROFILES_KEY = 'allowed-sdk-platform-profiles';
+const IN_RELEASE_SDK_PLATFORM_PROFILES_KEY = 'in-release-sdk-platform-profile';
+const PLATFORM_PROFILE_RELEASE_FF = 'sdk-platform-profiles';
+
+export interface AuthorizeResponse {
+  isAuthorized: boolean;
+  unauthorizedIds?: number[];
+  unauthorizedObjects?: AuthorizationObject[];
+}
+
+export function setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions) {
+  AuthorizationInternalService.setRequestFetchOptions(customMondayFetchOptions);
+}
+
+type CamelCase<S extends string> = S extends `${infer F}_${infer R}` ? `${F}${Capitalize<CamelCase<R>>}` : S;
+type CamelCaseKeys<T> = T extends object
+  ? { [K in keyof T as K extends string ? CamelCase<K> : K]: CamelCaseKeys<T[K]> }
+  : T;
+
+interface IsAuthorizedResponse {
+  result: boolean[];
+}
+
+interface CanActionsInScopesResponse {
+  result: ScopedActionResponseObject[];
+}
+
+export class AuthorizationService {
+  static redisClient?;
+  static grantedFeatureRedisExpirationInSeconds?: number;
+  static igniteClient?: IgniteClient;
+
+  /**
+   * @deprecated use the second form with authorizationRequestObjects instead,
+   * support of this function will be dropped gradually
+   */
+  static async isAuthorized(
+    accountId: number,
+    userId: number,
+    resources: Resource[],
+    action: Action
+  ): Promise<AuthorizeResponse>;
+
+  static async isAuthorized(
+    accountId: number,
+    userId: number,
+    authorizationRequestObjects: AuthorizationObject[]
+  ): Promise<AuthorizeResponse>;
+
+  static async isAuthorized(...args: any[]) {
+    if (args.length === 3) {
+      return this.isAuthorizedMultiple(args[0], args[1], args[2]);
+    } else if (args.length == 4) {
+      return this.isAuthorizedSingular(args[0], args[1], args[2], args[3]);
+    } else {
+      throw new Error('isAuthorized accepts either 3 or 4 arguments');
+    }
+  }
+
+  /**
+   * @deprecated - Please use Ignite instead: https://github.com/DaPulse/ignite-monorepo/blob/master/packages/ignite-sdk/README.md
+   * @sunsetDate 2024-12-31
+   */
+  static async isUserGrantedWithFeature(
+    accountId: number,
+    userId: number,
+    featureName: string,
+    options: { shouldSkipCache?: boolean } = {}
+  ): Promise<boolean> {
+    const cachedKey = this.getCachedKeyName(userId, featureName);
+    const shouldSkipCache = options.shouldSkipCache ?? false;
+    if (this.redisClient && !shouldSkipCache) {
+      const grantedFeatureValue = await this.redisClient.get(cachedKey);
+      if (!(grantedFeatureValue === undefined || grantedFeatureValue === null)) {
+        // redis returns the value as string
+        return grantedFeatureValue === 'true';
+      }
+    }
+
+    const grantedFeatureValue = await this.fetchIsUserGrantedWithFeature(featureName, accountId, userId);
+    if (this.redisClient) {
+      await this.redisClient.set(cachedKey, grantedFeatureValue, 'EX', this.grantedFeatureRedisExpirationInSeconds);
+    }
+    return grantedFeatureValue;
+  }
+
+  private static async fetchIsUserGrantedWithFeature(
+    featureName: string,
+    accountId: number,
+    userId: number
+  ): Promise<boolean> {
+    const authorizationObject: AuthorizationObject = {
+      action: featureName,
+      resource_type: 'feature',
+    };
+
+    const authorizeResponsePromise = await this.isAuthorized(accountId, userId, [authorizationObject]);
+    return authorizeResponsePromise.isAuthorized;
+  }
+
+  private static getCachedKeyName(userId: number, featureName: string): string {
+    return `granted-feature-${featureName}-${userId}`;
+  }
+
+  static async canActionInScope(
+    accountId: number,
+    userId: number,
+    action: string,
+    scope: ScopeOptions
+  ): Promise<ScopedActionPermit> {
+    const scopedActions = [{ action, scope }];
+    const scopedActionResponseObjects = await this.canActionInScopeMultiple(accountId, userId, scopedActions);
+    return scopedActionResponseObjects[0].permit;
+  }
+
+  private static getProfile(accountId: number, userId: number): PlatformProfile {
+    const appName: string = process.env.APP_NAME ?? 'INVALID_APP_NAME';
+    if (!this.igniteClient) {
+      logger.error({ tag: 'authorization-service' }, 'AuthorizationService: igniteClient is not set, failing request');
+      throw new Error('AuthorizationService: igniteClient is not set, failing request');
+    }
+    if (
+      this.igniteClient.configuration.getObjectValue<string[]>(ALLOWED_SDK_PLATFORM_PROFILES_KEY, []).includes(appName)
+    ) {
+      return getProfile();
+    }
+    if (
+      this.igniteClient.configuration
+        .getObjectValue<string[]>(IN_RELEASE_SDK_PLATFORM_PROFILES_KEY, [])
+        .includes(appName) &&
+      this.igniteClient.isReleased(PLATFORM_PROFILE_RELEASE_FF, { accountId, userId })
+    ) {
+      return getProfile();
+    }
+    return PlatformProfile.APP;
+  }
+
+  static async canActionInScopeMultiple(
+    accountId: number,
+    userId: number,
+    scopedActions: ScopedAction[]
+  ): Promise<ScopedActionResponseObject[]> {
+    const profile = this.getProfile(accountId, userId);
+    const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+    const scopedActionsPayload = scopedActions.map(scopedAction => {
+      return { ...scopedAction, scope: mapKeys(scopedAction.scope, (_, key) => snakeCase(key)) }; // for example: { workspaceId: 1 } => { workspace_id: 1 }
+    });
+
+    const attributionHeaders = getAttributionsFromApi();
+    const httpClient = Api.getPart('httpClient');
+
+    let response: CanActionsInScopesResponse | undefined;
+    try {
+      response = await httpClient!.fetch<CanActionsInScopesResponse>(
+        {
+          url: {
+            appName: 'platform',
+            path: PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH,
+            profile,
+          },
+          method: 'POST',
+          headers: {
+            Authorization: internalAuthToken,
+            'Content-Type': 'application/json',
+            ...attributionHeaders,
+          },
+          body: JSON.stringify({
+            user_id: userId,
+            scoped_actions: scopedActionsPayload,
+          }),
+        },
+        {
+          timeout: AuthorizationInternalService.getRequestTimeout(),
+          retryPolicy: AuthorizationInternalService.getRetriesPolicy(),
+        }
+      );
+    } catch (err) {
+      if (err instanceof HttpFetcherError) {
+        AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
+      } else {
+        throw err;
+      }
+    }
+
+    function toCamelCase<T extends object>(obj: T): CamelCaseKeys<T> {
+      return mapKeys(obj, (_, key) => camelCase(key)) as CamelCaseKeys<T>;
+    }
+
+    if (!response) {
+      logger.error({ tag: 'authorization-service', response }, 'AuthorizationService: missing response');
+      throw new Error('AuthorizationService: missing response');
+    }
+
+    const scopedActionsResponseObjects = response.result.map(responseObject => {
+      const { scopedAction, permit } = responseObject;
+      const { scope } = scopedAction;
+
+      return {
+        ...responseObject,
+        scopedAction: { ...scopedAction, scope: toCamelCase(scope) },
+        permit: toCamelCase(permit),
+      };
+    });
+
+    return scopedActionsResponseObjects;
+  }
+
+  private static async isAuthorizedSingular(
+    accountId: number,
+    userId: number,
+    resources: Resource[],
+    action: Action
+  ): Promise<AuthorizeResponse> {
+    const { authorizationObjects } = createAuthorizationParams(resources, action);
+    return this.isAuthorizedMultiple(accountId, userId, authorizationObjects);
+  }
+
+  private static async isAuthorizedMultiple(
+    accountId: number,
+    userId: number,
+    authorizationRequestObjects: AuthorizationObject[]
+  ): Promise<AuthorizeResponse> {
+    const profile = this.getProfile(accountId, userId);
+    const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+    const startTime = performance.now();
+    const attributionHeaders = getAttributionsFromApi();
+    const httpClient = Api.getPart('httpClient');
+
+    let response: IsAuthorizedResponse | undefined;
+    try {
+      response = await httpClient!.fetch<IsAuthorizedResponse>(
+        {
+          url: {
+            appName: 'platform',
+            path: PLATFORM_AUTHORIZE_PATH,
+            profile,
+          },
+          method: 'POST',
+          headers: {
+            Authorization: internalAuthToken,
+            'Content-Type': 'application/json',
+            ...attributionHeaders,
+          },
+          body: JSON.stringify({
+            user_id: userId,
+            authorize_request_objects: authorizationRequestObjects,
+          }),
+        },
+        {
+          timeout: AuthorizationInternalService.getRequestTimeout(),
+          retryPolicy: AuthorizationInternalService.getRetriesPolicy(),
+        }
+      );
+    } catch (err) {
+      if (err instanceof httpClient!.HttpFetcherError) {
+        AuthorizationInternalService.throwOnHttpError(err.status, 'isAuthorizedMultiple');
+      } else {
+        throw err;
+      }
+    }
+    const endTime = performance.now();
+    const time = endTime - startTime;
+
+    const unauthorizedObjects: AuthorizationObject[] = [];
+
+    if (!response) {
+      logger.error({ tag: 'authorization-service', response }, 'AuthorizationService: missing response');
+      throw new Error('AuthorizationService: missing response');
+    }
+
+    response.result.forEach(function (isAuthorized, index) {
+      const authorizationObject = authorizationRequestObjects[index];
+      if (!isAuthorized) {
+        unauthorizedObjects.push(authorizationObject);
+      }
+
+      sendAuthorizationCheckResponseTimeMetric(
+        authorizationObject.resource_type,
+        authorizationObject.action,
+        isAuthorized,
+        200,
+        time
+      );
+    });
+
+    if (unauthorizedObjects.length > 0) {
+      logger.info(
+        {
+          resources: JSON.stringify(unauthorizedObjects),
+        },
+        'AuthorizationService: resource is unauthorized'
+      );
+      const unauthorizedIds = unauthorizedObjects
+        .filter(obj => !!obj.resource_id)
+        .map(obj => obj.resource_id) as number[];
+      return { isAuthorized: false, unauthorizedIds, unauthorizedObjects };
+    }
+
+    return { isAuthorized: true };
+  }
+}
+
+export function setRedisClient(
+  client,
+  grantedFeatureRedisExpirationInSeconds: number = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS
+) {
+  AuthorizationService.redisClient = client;
+  if (grantedFeatureRedisExpirationInSeconds && grantedFeatureRedisExpirationInSeconds > 0) {
+    AuthorizationService.grantedFeatureRedisExpirationInSeconds = grantedFeatureRedisExpirationInSeconds;
+  } else {
+    logger.warn(
+      { grantedFeatureRedisExpirationInSeconds },
+      'Invalid input for grantedFeatureRedisExpirationInSeconds, must be positive number. using default ttl.'
+    );
+    AuthorizationService.grantedFeatureRedisExpirationInSeconds = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS;
+  }
+}
+
+export async function setIgniteClient() {
+  const igniteClient = await getIgniteClient({
+    namespace: ['authorization-sdk'],
+  });
+  AuthorizationService.igniteClient = igniteClient;
+  AuthorizationInternalService.setIgniteClient(igniteClient);
+}
+
+export function createAuthorizationParams(resources: Resource[], action: Action): AuthorizationParams {
+  const params = {
+    authorizationObjects: resources.map((resource: Resource) => {
+      const authorizationObject: AuthorizationObject = {
+        resource_id: resource.id,
+        resource_type: resource.type,
+        action,
+      };
+      if (resource.wrapperData) {
+        authorizationObject.wrapper_data = resource.wrapperData;
+      }
+      return authorizationObject;
+    }),
+  };
+  return params;
+}

package/src/constants/sns.ts

@@ -0,0 +1,5 @@
+export const SNS_ARN_ENV_VAR_NAME = 'SHARED_AUTHORIZATION_SNS_ENDPOINT_RESOURCE_ATTRIBUTES';
+export const SNS_DEV_TEST_NAME =
+  'arn:aws:sns:us-east-1:000000000000:monday-authorization-resource-attributes-sns-local';
+export const RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = 'resourceAttributeModification';
+export const ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;

package/src/constants.ts

@@ -0,0 +1,22 @@
+import { RecursivePartial } from '@mondaydotcomorg/monday-fetch-api';
+import { FetcherConfig } from '@mondaydotcomorg/trident-backend-api';
+
+export const APP_NAME = 'authorization';
+
+export const ERROR_MESSAGES = {
+  HTTP_CLIENT_NOT_INITIALIZED: 'MondayAuthorization: HTTP client is not initialized',
+  REQUEST_FAILED: (method: string, status: number, reason: string) =>
+    `MondayAuthorization: [${method}] request failed with status ${status} with reason: ${reason}`,
+} as const;
+
+export const DEFAULT_FETCH_OPTIONS: RecursivePartial<FetcherConfig> = {
+  retryPolicy: {
+    useRetries: true,
+    maxRetries: 3,
+    retryDelayMS: 10,
+  },
+  logPolicy: {
+    logErrors: 'error',
+    logRequests: 'info',
+  },
+};

package/src/index.ts

@@ -0,0 +1,46 @@
+import { MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
+import { setPrometheus } from './prometheus-service';
+import { setIgniteClient, setRedisClient, setRequestFetchOptions } from './authorization-service';
+import * as TestKit from './testKit';
+
+export interface InitOptions {
+  prometheus?: any;
+  mondayFetchOptions?: MondayFetchOptions;
+  redisClient?: any;
+  grantedFeatureRedisExpirationInSeconds?: number;
+}
+
+export async function init(options: InitOptions = {}) {
+  if (options.prometheus) {
+    setPrometheus(options.prometheus);
+  }
+
+  if (options.mondayFetchOptions) {
+    setRequestFetchOptions(options.mondayFetchOptions);
+  }
+  if (options.redisClient) {
+    setRedisClient(options.redisClient, options.grantedFeatureRedisExpirationInSeconds);
+  }
+
+  // add an ignite client for gradual release features
+  await setIgniteClient();
+}
+
+export {
+  authorizationCheckMiddleware,
+  getAuthorizationMiddleware,
+  skipAuthorizationMiddleware,
+} from './authorization-middleware';
+export { AuthorizationService, AuthorizeResponse } from './authorization-service';
+export { AuthorizationAttributesService } from './authorization-attributes-service';
+export { RolesService } from './roles-service';
+export { AuthorizationObject, Resource, BaseRequest, ResourceGetter, ContextGetter } from './types/general';
+export {
+  Translation,
+  ScopedAction,
+  ScopedActionResponseObject,
+  ScopedActionPermit,
+} from './types/scoped-actions-contracts';
+export { CustomRole, BasicRole, RoleType, RoleCreateRequest, RoleUpdateRequest, RolesResponse } from './types/roles';
+
+export { TestKit };

package/src/prometheus-service.ts

@@ -0,0 +1,48 @@
+import { Action } from './types/general';
+
+let prometheus: any = null;
+let authorizationCheckResponseTimeMetric: any = null;
+
+export const METRICS = {
+  AUTHORIZATION_CHECK: 'authorization_check',
+  AUTHORIZATION_CHECKS_PER_REQUEST: 'authorization_checks_per_request',
+  AUTHORIZATION_CHECK_RESPONSE_TIME: 'authorization_check_response_time',
+};
+
+const authorizationCheckResponseTimeMetricConfig = {
+  name: METRICS.AUTHORIZATION_CHECK_RESPONSE_TIME,
+  labels: ['resourceType', 'action', 'isAuthorized', 'responseStatus'],
+  description: 'Authorization check response time summary',
+};
+
+export function setPrometheus(customPrometheus) {
+  prometheus = customPrometheus;
+  const { METRICS_TYPES } = prometheus;
+
+  authorizationCheckResponseTimeMetric = getMetricsManager().addMetric(
+    METRICS_TYPES.SUMMARY,
+    authorizationCheckResponseTimeMetricConfig.name,
+    authorizationCheckResponseTimeMetricConfig.labels,
+    authorizationCheckResponseTimeMetricConfig.description
+  );
+}
+
+export function getMetricsManager() {
+  return prometheus?.metricsManager;
+}
+
+export function sendAuthorizationCheckResponseTimeMetric(
+  resourceType: string,
+  action: Action,
+  isAuthorized: boolean,
+  responseStatus: number,
+  time: number
+) {
+  try {
+    if (authorizationCheckResponseTimeMetric) {
+      authorizationCheckResponseTimeMetric.labels(resourceType, action, isAuthorized, responseStatus).observe(time);
+    }
+  } catch (e) {
+    // ignore
+  }
+}

package/src/roles-service.ts

@@ -0,0 +1,125 @@
+import { Api, FetcherConfig, HttpClient } from '@mondaydotcomorg/trident-backend-api';
+import { HttpFetcherError, RecursivePartial } from '@mondaydotcomorg/monday-fetch-api';
+import { RoleCreateRequest, RolesResponse, RoleUpdateRequest } from 'types/roles';
+import { getAttributionsFromApi } from 'attributions-service';
+import { APP_NAME, DEFAULT_FETCH_OPTIONS, ERROR_MESSAGES } from './constants';
+
+const API_PATH = '/roles/account/{accountId}';
+
+export class RolesService {
+  private httpClient: HttpClient;
+  private fetchOptions: RecursivePartial<FetcherConfig>;
+  private attributionHeaders: { [key: string]: string };
+
+  /**
+   * Public constructor to create the AuthorizationAttributesService instance.
+   * @param httpClient The HTTP client to use for API requests, if not provided, the default HTTP client from Api will be used.
+   * @param fetchOptions The fetch options to use for API requests, if not provided, the default fetch options will be used.
+   */
+  constructor(httpClient?: HttpClient, fetchOptions?: RecursivePartial<FetcherConfig>) {
+    if (!httpClient) {
+      httpClient = Api.getPart('httpClient');
+      if (!httpClient) {
+        throw new Error(ERROR_MESSAGES.HTTP_CLIENT_NOT_INITIALIZED);
+      }
+    }
+
+    if (!fetchOptions) {
+      fetchOptions = DEFAULT_FETCH_OPTIONS;
+    } else {
+      fetchOptions = {
+        ...DEFAULT_FETCH_OPTIONS,
+        ...fetchOptions,
+      };
+    }
+    this.httpClient = httpClient;
+    this.fetchOptions = fetchOptions;
+    this.attributionHeaders = getAttributionsFromApi();
+  }
+
+  /**
+   * Get all roles for an account
+   * @param accountId - The account ID
+   * @param style - The style of the roles to return, either 'A' or 'B', default is 'A'. 'B' is not deprecated and only available for backward compatibility.
+   * @returns - The roles for the account, both basic and custom roles. Note that basic role ids are returned in A style and not B style.
+   */
+  async getRoles(accountId: number, resourceTypes: string[], style: 'A' | 'B' = 'A'): Promise<RolesResponse> {
+    return await this.sendRoleRequest('GET', accountId, {}, { resourceTypes, style });
+  }
+
+  /**
+   * Create a custom role for an account
+   * @param accountId - The account ID
+   * @param roles - The roles to create
+   * @returns - The created roles
+   * Note that basic role ids should be provided in A style and not in B style.
+   */
+  async createCustomRole(accountId: number, roles: RoleCreateRequest[]): Promise<RolesResponse> {
+    if (roles.length === 0) {
+      throw new Error('Roles array cannot be empty');
+    }
+
+    return await this.sendRoleRequest('PUT', accountId, {
+      customRoles: roles,
+    });
+  }
+
+  /**
+   * Delete a custom role for an account
+   * @param accountId - The account ID
+   * @param roleIds - The ids of the roles to delete
+   * @returns - The deleted roles. Note that basic role ids should be provided in A style and not in B style.
+   */
+  async deleteCustomRole(accountId: number, roleIds: number[]): Promise<RolesResponse> {
+    return await this.sendRoleRequest('DELETE', accountId, {
+      ids: roleIds,
+    });
+  }
+
+  /**
+   * Update a custom role for an account
+   * @param accountId - The account ID
+   * @param updateRequests - The requests to update the roles
+   * @returns - The updated roles. Note that basic role ids should be provided in A style and not in B style.
+   */
+  async updateCustomRole(accountId: number, updateRequests: RoleUpdateRequest[]): Promise<RolesResponse> {
+    return await this.sendRoleRequest('PATCH', accountId, {
+      customRoles: updateRequests,
+    });
+  }
+
+  private async sendRoleRequest(
+    method: 'PUT' | 'GET' | 'DELETE' | 'PATCH',
+    accountId: number,
+    body: any,
+    additionalQueryParams: { [key: string]: any } = {},
+    style: 'A' | 'B' = 'A'
+  ): Promise<RolesResponse> {
+    try {
+      return await this.httpClient.fetch<RolesResponse>(
+        {
+          url: {
+            appName: APP_NAME,
+            path: API_PATH.replace('{accountId}', accountId.toString()),
+          },
+          query: {
+            style: style,
+            ...additionalQueryParams,
+          },
+          method,
+          headers: {
+            'Content-Type': 'application/json',
+            ...this.attributionHeaders,
+          },
+          body: method === 'GET' ? undefined : body,
+        },
+        this.fetchOptions
+      );
+    } catch (err) {
+      if (err instanceof HttpFetcherError) {
+        throw new Error(ERROR_MESSAGES.REQUEST_FAILED('sendRoleRequest', err.status, err.message));
+      }
+      throw err;
+    }
+  }
+}

package/src/testKit/index.ts

@@ -0,0 +1,66 @@
+import { Action, BaseRequest, BaseResponse, ContextGetter, Resource, ResourceGetter } from '../types/general';
+import { defaultContextGetter } from '../authorization-middleware';
+import { AuthorizationInternalService } from '../authorization-internal-service';
+import type { NextFunction } from 'express';
+
+export type TestPermittedAction = {
+  accountId: number;
+  userId: number;
+  resources: Resource[];
+  action: Action;
+};
+
+let testPermittedActions: TestPermittedAction[] = [];
+export const addTestPermittedAction = (accountId: number, userId: number, resources: Resource[], action: Action) => {
+  testPermittedActions.push({ accountId, userId, resources, action });
+};
+
+export const clearTestPermittedActions = () => {
+  testPermittedActions = [];
+};
+
+const isActionAuthorized = (accountId: number, userId: number, resources: Resource[], action: Action) => {
+  return {
+    isAuthorized: resources.every(_ => {
+      return testPermittedActions.some(combination => {
+        return (
+          combination.accountId === accountId &&
+          combination.userId === userId &&
+          combination.action === action &&
+          combination.resources.some(combinationResource => {
+            return resources.some(resource => {
+              return (
+                combinationResource.id === resource.id &&
+                combinationResource.type === resource.type &&
+                JSON.stringify(combinationResource.wrapperData) === JSON.stringify(resource.wrapperData)
+              );
+            });
+          })
+        );
+      });
+    }),
+  };
+};
+
+export const getTestAuthorizationMiddleware = (
+  action: Action,
+  resourceGetter: ResourceGetter,
+  contextGetter?: ContextGetter
+) => {
+  return async function authorizationMiddleware(
+    request: BaseRequest,
+    response: BaseResponse,
+    next: NextFunction
+  ): Promise<void> {
+    contextGetter ||= defaultContextGetter;
+    const { userId, accountId } = contextGetter(request);
+    const resources = resourceGetter(request);
+    const { isAuthorized } = isActionAuthorized(accountId, userId, resources, action);
+    AuthorizationInternalService.markAuthorized(request);
+    if (!isAuthorized) {
+      response.status(403).json({ message: 'Access denied' });
+      return;
+    }
+    next();
+  };
+};