@mondaydotcomorg/monday-authorization 3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-2992133 → 3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-36f311f

package/src/clients/platform-api.client.ts

@@ -1,118 +0,0 @@
-import { Api } from '@mondaydotcomorg/trident-backend-api';
-import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
-import { ScopedAction, ScopedActionResponseObject } from '../types/scoped-actions-contracts';
-import { AuthorizationInternalService, logger } from '../authorization-internal-service';
-import { getAttributionsFromApi, PlatformProfile } from '../attributions-service';
-import { toCamelCase, toSnakeCase, scopeToResource } from '../utils/authorization.utils';
-import { incrementAuthorizationError } from '../prometheus-service';
-
-const PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH = '/internal_ms/authorization/can_actions_in_scopes';
-
-// ScopedAction with snake_case scope keys for Platform API payload
-type ScopedActionPlatformPayload = Omit<ScopedAction, 'scope'> & {
-  scope: Record<string, number>;
-};
-
-interface CanActionsInScopesResponse {
-  result: ScopedActionResponseObject[];
-}
-
-/**
- * Client for handling Platform API authorization operations
- */
-export class PlatformApiClient {
-  /**
-   * Builds the request payload for Platform API calls
-   */
-  static buildRequestPayload(scopedActions: ScopedAction[]): ScopedActionPlatformPayload[] {
-    return scopedActions.map(scopedAction => ({
-      ...scopedAction,
-      scope: toSnakeCase(scopedAction.scope) as Record<string, number>,
-    }));
-  }
-
-  /**
-   * Fetches authorization data from the Platform API
-   */
-  static async fetchPermissions(
-    profile: PlatformProfile,
-    internalAuthToken: string,
-    userId: number,
-    scopedActionsPayload: ScopedActionPlatformPayload[]
-  ): Promise<CanActionsInScopesResponse> {
-    const attributionHeaders = getAttributionsFromApi();
-    const httpClient = Api.getPart('httpClient');
-
-
-    try {
-      const response = await httpClient!.fetch<CanActionsInScopesResponse>(
-        {
-          url: {
-            appName: 'platform',
-            path: PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH,
-            profile,
-          },
-          method: 'POST',
-          headers: {
-            Authorization: internalAuthToken,
-            'Content-Type': 'application/json',
-            ...attributionHeaders,
-          },
-          body: JSON.stringify({ user_id: userId, scoped_actions: scopedActionsPayload }),
-        },
-        {
-          timeout: AuthorizationInternalService.getRequestTimeout(),
-          retryPolicy: AuthorizationInternalService.getRetriesPolicy(),
-        }
-      );
-
-
-      return response;
-    } catch (err) {
-      if (err instanceof HttpFetcherError) {
-        AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
-        incrementAuthorizationError(
-          scopeToResource(toCamelCase(scopedActionsPayload[0].scope) as any).resourceType,
-          scopedActionsPayload[0].action,
-          err.status
-        );
-      }
-      throw err;
-    }
-  }
-
-  /**
-   * Maps Platform API response to the expected format
-   */
-  static mapResponse(response: CanActionsInScopesResponse): ScopedActionResponseObject[] {
-    if (!response) {
-      logger.error({ tag: 'platform-api-client', response }, 'PlatformApiClient: missing response');
-      throw new Error('PlatformApiClient: missing response');
-    }
-
-    return response.result.map(responseObject => {
-      const { scopedAction, permit } = responseObject;
-      const { scope } = scopedAction;
-
-      return {
-        ...responseObject,
-        scopedAction: { ...scopedAction, scope: toCamelCase(scope) },
-        permit: toCamelCase(permit),
-      };
-    });
-  }
-
-  /**
-   * Performs a complete authorization check using the Platform API
-   */
-  static async checkPermissions(
-    profile: PlatformProfile,
-    internalAuthToken: string,
-    userId: number,
-    scopedActions: ScopedAction[]
-  ): Promise<ScopedActionResponseObject[]> {
-    const scopedActionsPayload = this.buildRequestPayload(scopedActions);
-    const platformResponse = await this.fetchPermissions(profile, internalAuthToken, userId, scopedActionsPayload);
-    return this.mapResponse(platformResponse);
-  }
-}

package/src/constants/sns.ts

@@ -1,5 +0,0 @@
-export const SNS_ARN_ENV_VAR_NAME = 'SHARED_AUTHORIZATION_SNS_ENDPOINT_RESOURCE_ATTRIBUTES';
-export const SNS_DEV_TEST_NAME =
-  'arn:aws:sns:us-east-1:000000000000:monday-authorization-resource-attributes-sns-local';
-export const RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = 'resourceAttributeModification';
-export const ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;

package/src/constants.ts

@@ -1,22 +0,0 @@
-import { RecursivePartial } from '@mondaydotcomorg/monday-fetch-api';
-import { FetcherConfig } from '@mondaydotcomorg/trident-backend-api';
-
-export const APP_NAME = 'authorization';
-
-export const ERROR_MESSAGES = {
-  HTTP_CLIENT_NOT_INITIALIZED: 'MondayAuthorization: HTTP client is not initialized',
-  REQUEST_FAILED: (method: string, status: number, reason: string) =>
-    `MondayAuthorization: [${method}] request failed with status ${status} with reason: ${reason}`,
-} as const;
-
-export const DEFAULT_FETCH_OPTIONS: RecursivePartial<FetcherConfig> = {
-  retryPolicy: {
-    useRetries: true,
-    maxRetries: 3,
-    retryDelayMS: 10,
-  },
-  logPolicy: {
-    logErrors: 'error',
-    logRequests: 'info',
-  },
-};

package/src/index.ts

@@ -1,46 +0,0 @@
-import { MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
-import { setPrometheus } from './prometheus-service';
-import { setIgniteClient, setRedisClient, setRequestFetchOptions } from './authorization-service';
-import * as TestKit from './testKit';
-
-export interface InitOptions {
-  prometheus?: any;
-  mondayFetchOptions?: MondayFetchOptions;
-  redisClient?: any;
-  grantedFeatureRedisExpirationInSeconds?: number;
-}
-
-export async function init(options: InitOptions = {}) {
-  if (options.prometheus) {
-    setPrometheus(options.prometheus);
-  }
-
-  if (options.mondayFetchOptions) {
-    setRequestFetchOptions(options.mondayFetchOptions);
-  }
-  if (options.redisClient) {
-    setRedisClient(options.redisClient, options.grantedFeatureRedisExpirationInSeconds);
-  }
-
-  // add an ignite client for gradual release features
-  await setIgniteClient();
-}
-
-export {
-  authorizationCheckMiddleware,
-  getAuthorizationMiddleware,
-  skipAuthorizationMiddleware,
-} from './authorization-middleware';
-export { AuthorizationService, AuthorizeResponse } from './authorization-service';
-export { AuthorizationAttributesService } from './authorization-attributes-service';
-export { RolesService } from './roles-service';
-export { AuthorizationObject, Resource, BaseRequest, ResourceGetter, ContextGetter } from './types/general';
-export {
-  Translation,
-  ScopedAction,
-  ScopedActionResponseObject,
-  ScopedActionPermit,
-} from './types/scoped-actions-contracts';
-export { CustomRole, BasicRole, RoleType, RoleCreateRequest, RoleUpdateRequest, RolesResponse } from './types/roles';
-
-export { TestKit };

package/src/prometheus-service.ts

@@ -1,147 +0,0 @@
-import { Action } from './types/general';
-
-let prometheus: any = null;
-let authorizationCheckResponseTimeMetric: any = null;
-let authorizationSuccessMetric: any = null;
-let authorizationErrorMetric: any = null;
-let graphAvailabilityMetric: any = null;
-
-export const METRICS = {
-  AUTHORIZATION_CHECK: 'authorization_check',
-  AUTHORIZATION_CHECKS_PER_REQUEST: 'authorization_checks_per_request',
-  AUTHORIZATION_CHECK_RESPONSE_TIME: 'authorization_check_response_time',
-};
-
-const authorizationCheckResponseTimeMetricConfig = {
-  name: METRICS.AUTHORIZATION_CHECK_RESPONSE_TIME,
-  labels: ['resourceType', 'action', 'isAuthorized', 'responseStatus', 'apiType'],
-  description: 'Authorization check response time summary',
-};
-
-export function setPrometheus(customPrometheus) {
-  prometheus = customPrometheus;
-  if (!prometheus) {
-    authorizationCheckResponseTimeMetric = null;
-    authorizationSuccessMetric = null;
-    authorizationErrorMetric = null;
-    graphAvailabilityMetric = null;
-    return;
-  }
-
-  const { METRICS_TYPES } = prometheus;
-  const metricsManager = getMetricsManager();
-  if (metricsManager) {
-    authorizationCheckResponseTimeMetric = metricsManager.addMetric(
-      METRICS_TYPES.SUMMARY,
-      authorizationCheckResponseTimeMetricConfig.name,
-      authorizationCheckResponseTimeMetricConfig.labels,
-      authorizationCheckResponseTimeMetricConfig.description
-    );
-
-    initializeAdditionalMetrics();
-  }
-}
-
-export function getMetricsManager() {
-  return prometheus?.metricsManager;
-}
-
-export function sendAuthorizationCheckResponseTimeMetric(
-  resourceType: string,
-  action: Action,
-  isAuthorized: boolean,
-  responseStatus: number,
-  time: number,
-  apiType: 'platform' | 'graph' = 'platform'
-) {
-  try {
-    if (authorizationCheckResponseTimeMetric) {
-      authorizationCheckResponseTimeMetric
-        .labels(resourceType, action, isAuthorized, responseStatus, apiType)
-        .observe(time);
-    }
-  } catch (e) {
-    // ignore
-  }
-}
-
-const authorizationSuccessMetricConfig = {
-  name: 'authorization_success_total',
-  labels: ['resourceType', 'action'],
-  description: 'Total number of successful authorization checks',
-};
-
-const authorizationErrorMetricConfig = {
-  name: 'authorization_error_total',
-  labels: ['resourceType', 'action', 'statusCode'],
-  description: 'Total number of authorization errors',
-};
-
-const graphAvailabilityMetricConfig = {
-  name: 'graph_api_availability',
-  labels: ['available'],
-  description: 'Graph API availability status',
-};
-
-export function incrementAuthorizationSuccess(resourceType: string, action: Action) {
-  try {
-    if (authorizationSuccessMetric) {
-      authorizationSuccessMetric.labels(resourceType, action).inc();
-    }
-  } catch (e) {
-    // ignore
-  }
-}
-
-export function incrementAuthorizationError(resourceType: string, action: Action, statusCode: number) {
-  try {
-    if (authorizationErrorMetric) {
-      authorizationErrorMetric.labels(resourceType, action, statusCode).inc();
-    }
-  } catch (e) {
-    // ignore
-  }
-}
-
-export function setGraphAvailability(isAvailable: boolean) {
-  try {
-    if (graphAvailabilityMetric) {
-      graphAvailabilityMetric.labels(isAvailable ? 'true' : 'false').set(isAvailable ? 1 : 0);
-    }
-  } catch (e) {
-    // ignore
-  }
-}
-
-// Initialize additional metrics when prometheus is set
-function initializeAdditionalMetrics() {
-  if (!prometheus) {
-    return;
-  }
-
-  const { METRICS_TYPES } = prometheus;
-  const metricsManager = getMetricsManager();
-
-  if (metricsManager) {
-    authorizationSuccessMetric = metricsManager.addMetric(
-      METRICS_TYPES.COUNTER,
-      authorizationSuccessMetricConfig.name,
-      authorizationSuccessMetricConfig.labels,
-      authorizationSuccessMetricConfig.description
-    );
-
-    authorizationErrorMetric = metricsManager.addMetric(
-      METRICS_TYPES.COUNTER,
-      authorizationErrorMetricConfig.name,
-      authorizationErrorMetricConfig.labels,
-      authorizationErrorMetricConfig.description
-    );
-
-    graphAvailabilityMetric = metricsManager.addMetric(
-      METRICS_TYPES.GAUGE,
-      graphAvailabilityMetricConfig.name,
-      graphAvailabilityMetricConfig.labels,
-      graphAvailabilityMetricConfig.description
-    );
-  }
-}

package/src/roles-service.ts

@@ -1,125 +0,0 @@
-import { Api, FetcherConfig, HttpClient } from '@mondaydotcomorg/trident-backend-api';
-import { HttpFetcherError, RecursivePartial } from '@mondaydotcomorg/monday-fetch-api';
-import { RoleCreateRequest, RolesResponse, RoleUpdateRequest } from 'types/roles';
-import { getAttributionsFromApi } from 'attributions-service';
-import { APP_NAME, DEFAULT_FETCH_OPTIONS, ERROR_MESSAGES } from './constants';
-
-const API_PATH = '/roles/account/{accountId}';
-
-export class RolesService {
-  private httpClient: HttpClient;
-  private fetchOptions: RecursivePartial<FetcherConfig>;
-  private attributionHeaders: { [key: string]: string };
-
-  /**
-   * Public constructor to create the AuthorizationAttributesService instance.
-   * @param httpClient The HTTP client to use for API requests, if not provided, the default HTTP client from Api will be used.
-   * @param fetchOptions The fetch options to use for API requests, if not provided, the default fetch options will be used.
-   */
-  constructor(httpClient?: HttpClient, fetchOptions?: RecursivePartial<FetcherConfig>) {
-    if (!httpClient) {
-      httpClient = Api.getPart('httpClient');
-      if (!httpClient) {
-        throw new Error(ERROR_MESSAGES.HTTP_CLIENT_NOT_INITIALIZED);
-      }
-    }
-
-    if (!fetchOptions) {
-      fetchOptions = DEFAULT_FETCH_OPTIONS;
-    } else {
-      fetchOptions = {
-        ...DEFAULT_FETCH_OPTIONS,
-        ...fetchOptions,
-      };
-    }
-    this.httpClient = httpClient;
-    this.fetchOptions = fetchOptions;
-    this.attributionHeaders = getAttributionsFromApi();
-  }
-
-  /**
-   * Get all roles for an account
-   * @param accountId - The account ID
-   * @param style - The style of the roles to return, either 'A' or 'B', default is 'A'. 'B' is not deprecated and only available for backward compatibility.
-   * @returns - The roles for the account, both basic and custom roles. Note that basic role ids are returned in A style and not B style.
-   */
-  async getRoles(accountId: number, resourceTypes: string[], style: 'A' | 'B' = 'A'): Promise<RolesResponse> {
-    return await this.sendRoleRequest('GET', accountId, {}, { resourceTypes, style });
-  }
-
-  /**
-   * Create a custom role for an account
-   * @param accountId - The account ID
-   * @param roles - The roles to create
-   * @returns - The created roles
-   * Note that basic role ids should be provided in A style and not in B style.
-   */
-  async createCustomRole(accountId: number, roles: RoleCreateRequest[]): Promise<RolesResponse> {
-    if (roles.length === 0) {
-      throw new Error('Roles array cannot be empty');
-    }
-
-    return await this.sendRoleRequest('PUT', accountId, {
-      customRoles: roles,
-    });
-  }
-
-  /**
-   * Delete a custom role for an account
-   * @param accountId - The account ID
-   * @param roleIds - The ids of the roles to delete
-   * @returns - The deleted roles. Note that basic role ids should be provided in A style and not in B style.
-   */
-  async deleteCustomRole(accountId: number, roleIds: number[]): Promise<RolesResponse> {
-    return await this.sendRoleRequest('DELETE', accountId, {
-      ids: roleIds,
-    });
-  }
-
-  /**
-   * Update a custom role for an account
-   * @param accountId - The account ID
-   * @param updateRequests - The requests to update the roles
-   * @returns - The updated roles. Note that basic role ids should be provided in A style and not in B style.
-   */
-  async updateCustomRole(accountId: number, updateRequests: RoleUpdateRequest[]): Promise<RolesResponse> {
-    return await this.sendRoleRequest('PATCH', accountId, {
-      customRoles: updateRequests,
-    });
-  }
-
-  private async sendRoleRequest(
-    method: 'PUT' | 'GET' | 'DELETE' | 'PATCH',
-    accountId: number,
-    body: any,
-    additionalQueryParams: { [key: string]: any } = {},
-    style: 'A' | 'B' = 'A'
-  ): Promise<RolesResponse> {
-    try {
-      return await this.httpClient.fetch<RolesResponse>(
-        {
-          url: {
-            appName: APP_NAME,
-            path: API_PATH.replace('{accountId}', accountId.toString()),
-          },
-          query: {
-            style: style,
-            ...additionalQueryParams,
-          },
-          method,
-          headers: {
-            'Content-Type': 'application/json',
-            ...this.attributionHeaders,
-          },
-          body: method === 'GET' ? undefined : body,
-        },
-        this.fetchOptions
-      );
-    } catch (err) {
-      if (err instanceof HttpFetcherError) {
-        throw new Error(ERROR_MESSAGES.REQUEST_FAILED('sendRoleRequest', err.status, err.message));
-      }
-      throw err;
-    }
-  }
-}

package/src/testKit/index.ts

@@ -1,69 +0,0 @@
-import { Action, BaseRequest, BaseResponse, ContextGetter, Resource, ResourceGetter } from '../types/general';
-import { defaultContextGetter } from '../authorization-middleware';
-import { AuthorizationInternalService } from '../authorization-internal-service';
-import type { NextFunction } from 'express';
-
-export type TestPermittedAction = {
-  accountId: number;
-  userId: number;
-  resources: Resource[];
-  action: Action;
-};
-
-let testPermittedActions: TestPermittedAction[] = [];
-export const addTestPermittedAction = (accountId: number, userId: number, resources: Resource[], action: Action) => {
-  testPermittedActions.push({ accountId, userId, resources, action });
-};
-
-export const clearTestPermittedActions = () => {
-  testPermittedActions = [];
-};
-
-const isActionAuthorized = (accountId: number, userId: number, resources: Resource[], action: Action) => {
-  // If no resources to check, deny access
-  if (resources.length === 0) {
-    return { isAuthorized: false };
-  }
-
-  return {
-    isAuthorized: resources.every(resource => {
-      return testPermittedActions.some(combination => {
-        return (
-          combination.accountId === accountId &&
-          combination.userId === userId &&
-          combination.action === action &&
-          combination.resources.some(combinationResource => {
-            return (
-              combinationResource.id === resource.id &&
-              combinationResource.type === resource.type &&
-              JSON.stringify(combinationResource.wrapperData) === JSON.stringify(resource.wrapperData)
-            );
-          })
-        );
-      });
-    }),
-  };
-};
-
-export const getTestAuthorizationMiddleware = (
-  action: Action,
-  resourceGetter: ResourceGetter,
-  contextGetter?: ContextGetter
-) => {
-  return async function authorizationMiddleware(
-    request: BaseRequest,
-    response: BaseResponse,
-    next: NextFunction
-  ): Promise<void> {
-    contextGetter ||= defaultContextGetter;
-    const { userId, accountId } = contextGetter(request);
-    const resources = resourceGetter(request);
-    const { isAuthorized } = isActionAuthorized(accountId, userId, resources, action);
-    if (!isAuthorized) {
-      response.status(403).json({ message: 'Access denied' });
-      return;
-    }
-    AuthorizationInternalService.markAuthorized(request);
-    next();
-  };
-};

package/src/types/authorization-attributes-contracts.ts

@@ -1,33 +0,0 @@
-import { Resource } from './general';
-
-export interface ResourceAttributeAssignment {
-  resourceType: Resource['type'];
-  resourceId: Resource['id'];
-  key: string;
-  value: string;
-}
-
-export interface ResourceAttributeResponse {
-  attributes: ResourceAttributeAssignment[];
-}
-
-export interface ResourceAttributeDelete {
-  resourceType: Resource['type'];
-  resourceId: Resource['id'];
-  key: string;
-}
-
-export enum ResourceAttributeOperationEnum {
-  UPSERT = 'upsert',
-  DELETE = 'delete',
-}
-
-interface UpsertResourceAttributeOperation extends ResourceAttributeAssignment {
-  operationType: ResourceAttributeOperationEnum.UPSERT;
-}
-
-interface DeleteResourceAttributeOperation extends ResourceAttributeDelete {
-  operationType: ResourceAttributeOperationEnum.DELETE;
-}
-
-export type ResourceAttributesOperation = UpsertResourceAttributeOperation | DeleteResourceAttributeOperation;

package/src/types/express.ts

@@ -1,8 +0,0 @@
-// eslint-disable-next-line @typescript-eslint/no-namespace, @typescript-eslint/no-unused-vars
-declare namespace Express {
-  export interface Request {
-    payload: { accountId: number; userId: number };
-    authorizationCheckPerformed: boolean;
-    authorizationSkipPerformed: boolean;
-  }
-}

package/src/types/general.ts

@@ -1,32 +0,0 @@
-import type { Request, Response } from 'express';
-
-export interface Resource {
-  id?: number;
-  type: string;
-  wrapperData?: object;
-}
-export type Action = string;
-export interface Context {
-  accountId: number;
-  userId: number;
-}
-export interface AuthorizationObject {
-  resource_id?: Resource['id'];
-  resource_type: Resource['type'];
-  wrapper_data?: Resource['wrapperData'];
-  action: Action;
-}
-export interface AuthorizationParams {
-  authorizationObjects: AuthorizationObject[];
-}
-
-type BasicObject = { [key: string]: unknown };
-
-export type BaseParameters = BasicObject;
-export type BaseResponseBody = BasicObject;
-export type BaseBodyParameters = BasicObject;
-export type BaseQueryParameters = BasicObject;
-export type BaseRequest = Request<BaseParameters, BaseResponseBody, BaseBodyParameters, BaseQueryParameters>;
-export type BaseResponse = Response<BaseResponseBody>;
-export type ResourceGetter = (request: BaseRequest) => Resource[];
-export type ContextGetter = (request: BaseRequest) => Context;

package/src/types/graph-api.types.ts

@@ -1,19 +0,0 @@
-// Graph API related types and interfaces
-
-export type ResourceType = string;
-export type ResourceId = number;
-export type ActionName = string;
-
-export type GraphIsAllowedDto = Record<ResourceType, Record<ResourceId, ActionName[]>>;
-
-export type GraphPermissionResult = {
-  can: boolean;
-  reason: string;
-};
-
-// Permission to its result
-export type GraphPermissionResults = Record<ActionName, GraphPermissionResult>;
-
-// Resource type to map of resource ids to their permissions results
-// Note: Resource IDs are string keys in the API response (JSON object keys are always strings)
-export type GraphIsAllowedResponse = Record<ResourceType, Record<string, GraphPermissionResults>>;

package/src/types/roles.ts

@@ -1,42 +0,0 @@
-export enum RoleType {
-  CUSTOM = 'custom_role',
-  BASIC = 'basic_role',
-}
-
-export interface CustomRole {
-  id?: number;
-  name: string;
-  resourceType: string;
-  resourceId: number;
-  basicRoleId: number;
-  basicRoleType: RoleType;
-}
-
-export interface BasicRole {
-  id: number;
-  resourceType: string;
-  roleType: string;
-  name: string;
-}
-
-export interface RolesResponse {
-  customRoles: CustomRole[];
-  basicRoles?: BasicRole[];
-}
-
-export interface RoleCreateRequest {
-  name: string;
-  resourceType: string;
-  resourceId: number;
-  sourceRole: {
-    id: number;
-    type: RoleType;
-  };
-}
-
-export interface RoleUpdateRequest {
-  id: number;
-  updateAttributes: {
-    name: string;
-  };
-}