@mondaydotcomorg/monday-authorization 3.5.1 → 3.5.3-feat-shaime-support-entity-attributes-in-authorization-sdk-127d99a

package/src/base-attribute-assignment.ts

@@ -0,0 +1,55 @@
+import { ValidationUtils } from './utils/validation';
+
+/**
+ * Base class for attribute assignments (Resource or Entity)
+ * Provides common validation and functionality
+ */
+export abstract class BaseAttributeAssignment<TId extends number, TType extends string> {
+  public readonly id: TId;
+  public readonly type: TType;
+  public readonly attributeKey: string;
+  public readonly attributeValue: string;
+
+  constructor(
+    id: TId,
+    type: string,
+    attributeKey: string,
+    attributeValue: string,
+    validTypes: readonly string[],
+    idFieldName: string,
+    typeFieldName: string
+  ) {
+    // Validate id
+    ValidationUtils.validateInteger(id, idFieldName);
+
+    // Validate type
+    this.type = ValidationUtils.validateEnum(type, validTypes as readonly TType[], typeFieldName) as TType;
+
+    // Validate attributeKey
+    ValidationUtils.validateString(attributeKey, 'attributeKey');
+
+    // Validate attributeValue
+    ValidationUtils.validateString(attributeValue, 'attributeValue');
+
+    this.id = id;
+    this.attributeKey = attributeKey;
+    this.attributeValue = attributeValue;
+  }
+
+  /**
+   * Compares two assignments for equality
+   * @param other Another assignment instance
+   * @returns true if all properties are equal
+   */
+  equals(other: BaseAttributeAssignment<TId, TType>): boolean {
+    if (!(other instanceof this.constructor)) {
+      return false;
+    }
+    return (
+      this.id === other.id &&
+      this.type === other.type &&
+      this.attributeKey === other.attributeKey &&
+      this.attributeValue === other.attributeValue
+    );
+  }
+}

package/src/constants/sns.ts

@@ -1,5 +1,22 @@
-export const SNS_ARN_ENV_VAR_NAME = 'SHARED_AUTHORIZATION_SNS_ENDPOINT_RESOURCE_ATTRIBUTES';
-export const SNS_DEV_TEST_NAME =
+export enum SnsTopicType {
+  RESOURCE = 'resource',
+  ENTITY = 'entity',
+}
+
+// Resource SNS constants
+export const RESOURCE_SNS_ARN_ENV_VAR_NAME = 'SHARED_AUTHORIZATION_SNS_ENDPOINT_RESOURCE_ATTRIBUTES';
+export const RESOURCE_SNS_DEV_TEST_NAME =
   'arn:aws:sns:us-east-1:000000000000:monday-authorization-resource-attributes-sns-local';
+
+// Entity SNS constants
+export const ENTITY_SNS_ARN_ENV_VAR_NAME = 'SHARED_AUTHORIZATION_SNS_ENDPOINT_ENTITY_ATTRIBUTES';
+export const ENTITY_SNS_DEV_TEST_NAME =
+  'arn:aws:sns:us-east-1:000000000000:monday-authorization-entity-attributes-sns-local';
 export const RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = 'resourceAttributeModification';
+export const ENTITY_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = 'entityAttributeModification';
 export const ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;
+export const ASYNC_ENTITY_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;
+
+// Legacy exports for backward compatibility
+export const SNS_ARN_ENV_VAR_NAME = RESOURCE_SNS_ARN_ENV_VAR_NAME;
+export const SNS_DEV_TEST_NAME = RESOURCE_SNS_DEV_TEST_NAME;

package/src/entity-attribute-assignment.ts

@@ -0,0 +1,21 @@
+import { ENTITY_TYPES, EntityType } from './entity-attributes-constants';
+import { BaseAttributeAssignment } from './base-attribute-assignment';
+
+export class EntityAttributeAssignment extends BaseAttributeAssignment<number, EntityType> {
+  public readonly entityId: number;
+  public readonly entityType: EntityType;
+
+  constructor(entityId: number, entityType: string, attributeKey: string, attributeValue: string) {
+    super(entityId, entityType, attributeKey, attributeValue, Object.values(ENTITY_TYPES), 'entityId', 'entityType');
+    this.entityId = entityId;
+    this.entityType = this.type;
+  }
+  /**
+   * Compares two assignments for equality
+   * @param other Another EntityAttributeAssignment instance
+   * @returns true if all properties are equal
+   */
+  equals(other: EntityAttributeAssignment): boolean {
+    return super.equals(other);
+  }
+}

package/src/entity-attributes-constants.ts

@@ -0,0 +1,7 @@
+export const ENTITY_TYPES = {
+  USER: 'user',
+  TEAM: 'team',
+  ACCOUNT: 'account',
+} as const;
+
+export type EntityType = (typeof ENTITY_TYPES)[keyof typeof ENTITY_TYPES];

package/src/errors/argument-error.ts

@@ -0,0 +1,7 @@
+export class ArgumentError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = 'ArgumentError';
+    Object.setPrototypeOf(this, ArgumentError.prototype);
+  }
+}

package/src/index.ts

@@ -58,6 +58,15 @@ export {
 } from './authorization-middleware';
 export { AuthorizationService, AuthorizeResponse } from './authorization-service';
 export { AuthorizationAttributesService } from './authorization-attributes-service';
+export { AuthorizationAttributesSnsService } from './authorization-attributes-sns-service';
+export { AuthorizationAttributesMsService } from './authorization-attributes-ms-service';
+export { IAuthorizationAttributesService } from './types/authorization-attributes-service.interface';
+export { ResourceAttributeAssignment } from './resource-attribute-assignment';
+export { RESOURCE_TYPES, RESOURCE_ATTRIBUTES_CONSTANTS } from './resource-attributes-constants';
+export { EntityAttributeAssignment } from './entity-attribute-assignment';
+export { ENTITY_TYPES } from './entity-attributes-constants';
+export { ArgumentError } from './errors/argument-error';
+export type { EntityType } from './entity-attributes-constants';
 export { RolesService } from './roles-service';
 export { MembershipsService } from './memberships';
 export { AuthorizationObject, Resource, BaseRequest, ResourceGetter, ContextGetter } from './types/general';

package/src/prometheus-service.ts

@@ -1,5 +1,3 @@
-import { Action } from './types/general';
-
 let prometheus: any = null;
 let authorizationCheckResponseTimeMetric: any = null;
 
@@ -36,7 +34,7 @@ export function getMetricsManager() {
 
 export function sendAuthorizationCheckResponseTimeMetric(
   resourceType: string,
-  action: Action,
+  action: string,
   isAuthorized: boolean,
   responseStatus: number,
   time: number

package/src/resource-attribute-assignment.ts

@@ -0,0 +1,43 @@
+import { RESOURCE_TYPES, ResourceType } from './resource-attributes-constants';
+import { BaseAttributeAssignment } from './base-attribute-assignment';
+
+export class ResourceAttributeAssignment extends BaseAttributeAssignment<number, ResourceType> {
+  public readonly resourceId: number;
+  public readonly resourceType: ResourceType;
+
+  constructor(resourceId: number, resourceType: string, attributeKey: string, attributeValue: string) {
+    super(
+      resourceId,
+      resourceType,
+      attributeKey,
+      attributeValue,
+      Object.values(RESOURCE_TYPES),
+      'resourceId',
+      'resourceType'
+    );
+    this.resourceId = resourceId;
+    this.resourceType = this.type;
+  }
+
+  /**
+   * Converts the assignment to a plain object with camelCase keys
+   * @returns Plain object with camelCase keys: { resourceId, resourceType, key, value }
+   */
+  toPlainObject(): { resourceId: number; resourceType: string; key: string; value: string } {
+    return {
+      resourceId: this.resourceId,
+      resourceType: this.resourceType,
+      key: this.attributeKey,
+      value: this.attributeValue,
+    };
+  }
+
+  /**
+   * Compares two assignments for equality
+   * @param other Another ResourceAttributeAssignment instance
+   * @returns true if all properties are equal
+   */
+  equals(other: ResourceAttributeAssignment): boolean {
+    return super.equals(other);
+  }
+}

package/src/resource-attributes-constants.ts

@@ -0,0 +1,35 @@
+export const RESOURCE_ATTRIBUTES_CONSTANTS = {
+  ACCOUNT_RESOURCE_ATTRIBUTES: {
+    ENABLE_MEMBERS_INVITE_FROM_NON_AUTH_DOMAIN: 'enable_members_invite_from_non_auth_domain',
+  },
+  WORKSPACE_RESOURCE_ATTRIBUTES: {
+    IS_DEFAULT_WORKSPACE: 'is_default_workspace',
+  },
+  BOARD_RESOURCE_ATTRIBUTES: {
+    IS_SYNCABLE_CHILD_ENTITY: 'is_syncable_child_entity',
+    SYSTEM_ENTITY_TYPE: 'system_entity_type',
+  },
+} as const;
+
+export type ResourceType =
+  | 'account'
+  | 'account_product'
+  | 'workspace'
+  | 'board'
+  | 'item'
+  | 'team'
+  | 'overview'
+  | 'document'
+  | 'crm';
+
+export const RESOURCE_TYPES = {
+  ACCOUNT: 'account',
+  ACCOUNT_PRODUCT: 'account_product',
+  WORKSPACE: 'workspace',
+  BOARD: 'board',
+  ITEM: 'item',
+  TEAM: 'team',
+  OVERVIEW: 'overview',
+  DOCUMENT: 'document',
+  CRM: 'crm',
+} as Record<string, ResourceType>;

package/src/testKit/index.ts

@@ -1,4 +1,4 @@
-import { Action, BaseRequest, BaseResponse, ContextGetter, Resource, ResourceGetter } from '../types/general';
+import { BaseRequest, BaseResponse, ContextGetter, Resource, ResourceGetter } from '../types/general';
 import { defaultContextGetter } from '../authorization-middleware';
 import { AuthorizationInternalService } from '../authorization-internal-service';
 import type { NextFunction } from 'express';
@@ -7,11 +7,11 @@ export type TestPermittedAction = {
   accountId: number;
   userId: number;
   resources: Resource[];
-  action: Action;
+  action: string;
 };
 
 let testPermittedActions: TestPermittedAction[] = [];
-export const addTestPermittedAction = (accountId: number, userId: number, resources: Resource[], action: Action) => {
+export const addTestPermittedAction = (accountId: number, userId: number, resources: Resource[], action: string) => {
   testPermittedActions.push({ accountId, userId, resources, action });
 };
 
@@ -19,7 +19,7 @@ export const clearTestPermittedActions = () => {
   testPermittedActions = [];
 };
 
-const isActionAuthorized = (accountId: number, userId: number, resources: Resource[], action: Action) => {
+const isActionAuthorized = (accountId: number, userId: number, resources: Resource[], action: string) => {
   // If no resources to check, deny access
   if (resources.length === 0) {
     return { isAuthorized: false };
@@ -46,7 +46,7 @@ const isActionAuthorized = (accountId: number, userId: number, resources: Resour
 };
 
 export const getTestAuthorizationMiddleware = (
-  action: Action,
+  action: string,
   resourceGetter: ResourceGetter,
   contextGetter?: ContextGetter
 ) => {

package/src/types/authorization-attributes-contracts.ts

@@ -1,33 +1,58 @@
 import { Resource } from './general';
+import type { EntityType } from '../entity-attributes-constants';
+import type { ResourceType } from '../resource-attributes-constants';
 
-export interface ResourceAttributeAssignment {
-  resourceType: Resource['type'];
-  resourceId: Resource['id'];
+export type { EntityType, ResourceType };
+
+interface AttributeAssignment {
   key: string;
   value: string;
 }
 
-export interface ResourceAttributeResponse {
-  attributes: ResourceAttributeAssignment[];
+// Resource Attribute Assignment - matching API contract
+export interface ResourceAttributeAssignment extends AttributeAssignment {
+  resourceId: number;
+  resourceType: ResourceType;
+}
+
+// Entity Attribute Assignment - matching API contract
+// Note: For validation, use the EntityAttributeAssignment class from '../entity-attribute-assignment'
+export interface EntityAttributeAssignment extends AttributeAssignment {
+  entityId: number;
+  entityType: EntityType;
 }
 
+// Legacy types for backward compatibility
 export interface ResourceAttributeDelete {
   resourceType: Resource['type'];
   resourceId: Resource['id'];
   key: string;
 }
 
-export enum ResourceAttributeOperationEnum {
+export interface EntityAttributeDelete {
+  entityType: EntityType;
+  entityId: number;
+  key: string;
+}
+
+export enum AttributeOperation {
   UPSERT = 'upsert',
   DELETE = 'delete',
 }
 
-interface UpsertResourceAttributeOperation extends ResourceAttributeAssignment {
-  operationType: ResourceAttributeOperationEnum.UPSERT;
+// Response types
+export interface ResourceAttributeResponse {
+  attributes: ResourceAttributeAssignment[];
 }
 
-interface DeleteResourceAttributeOperation extends ResourceAttributeDelete {
-  operationType: ResourceAttributeOperationEnum.DELETE;
+export interface EntityAttributeResponse {
+  attributes: EntityAttributeAssignment[];
 }
 
-export type ResourceAttributesOperation = UpsertResourceAttributeOperation | DeleteResourceAttributeOperation;
+export interface ResourceAttributeOperation extends ResourceAttributeAssignment {
+  operationType: AttributeOperation;
+}
+
+export interface EntityAttributeOperation extends EntityAttributeAssignment {
+  operationType: AttributeOperation;
+}

package/src/types/authorization-attributes-service.interface.ts

@@ -0,0 +1,101 @@
+import {
+  ResourceAttributeAssignment as ResourceAttributeAssignmentContract,
+  EntityAttributeAssignment as EntityAttributeAssignmentContract,
+  EntityType,
+  ResourceAttributeOperation,
+  EntityAttributeOperation,
+} from './authorization-attributes-contracts';
+import { ResourceAttributeAssignment } from '../resource-attribute-assignment';
+import { EntityAttributeAssignment } from '../entity-attribute-assignment';
+import { Resource } from './general';
+
+/**
+ * Resource type compatible with both MS and SNS services
+ */
+export interface CompatibleResource {
+  resourceType?: string;
+  resourceId?: number;
+  type?: string;
+  id?: number;
+}
+
+/**
+ * Interface for authorization attributes operations.
+ * Both MS (direct) and SNS (async) services implement this interface.
+ */
+export interface IAuthorizationAttributesService {
+  /**
+   * Upserts resource attributes.
+   * For MS service: returns Promise<void>
+   * For SNS service: requires appName and callerActionIdentifier, returns Promise<ResourceAttributesOperation[]>
+   */
+  upsertResourceAttributes(
+    accountId: number,
+    resourceAttributeAssignments: ResourceAttributeAssignment[] | ResourceAttributeAssignmentContract[],
+    appName?: string,
+    callerActionIdentifier?: string
+  ): Promise<void | ResourceAttributeOperation[]>;
+
+  /**
+   * Deletes resource attributes.
+   * For MS service: returns Promise<void>
+   * For SNS service: requires appName and callerActionIdentifier, returns Promise<ResourceAttributesOperation[]>
+   */
+  deleteResourceAttributes(
+    accountId: number,
+    resource: CompatibleResource | Resource,
+    attributeKeys: string[],
+    appName?: string,
+    callerActionIdentifier?: string
+  ): Promise<void | ResourceAttributeOperation[]>;
+
+  /**
+   * Upserts entity attributes.
+   * For MS service: returns Promise<void>
+   * For SNS service: requires appName and callerActionIdentifier, returns Promise<EntityAttributesOperation[]>
+   */
+  upsertEntityAttributes(
+    accountId: number,
+    entityAttributeAssignments: EntityAttributeAssignment[] | EntityAttributeAssignmentContract[],
+    appName?: string,
+    callerActionIdentifier?: string
+  ): Promise<void | EntityAttributeOperation[]>;
+
+  /**
+   * Deletes entity attributes.
+   * For MS service: returns Promise<void>
+   * For SNS service: requires appName and callerActionIdentifier, returns Promise<EntityAttributesOperation[]>
+   */
+  deleteEntityAttributes(
+    accountId: number,
+    entityType: EntityType | string,
+    entityId: number,
+    attributeKeys: string[],
+    appName?: string,
+    callerActionIdentifier?: string
+  ): Promise<void | EntityAttributeOperation[]>;
+
+  /**
+   * Updates resource attributes (batch operations).
+   * For MS service: may throw error or delegate to upsert/delete
+   * For SNS service: returns Promise<ResourceAttributesOperation[]>
+   */
+  updateResourceAttributes(
+    accountId: number,
+    appName: string,
+    callerActionIdentifier: string,
+    resourceAttributeOperations: ResourceAttributeOperation[]
+  ): Promise<ResourceAttributeOperation[]>;
+
+  /**
+   * Updates entity attributes (batch operations).
+   * For MS service: may throw error or delegate to upsert/delete
+   * For SNS service: returns Promise<EntityAttributesOperation[]>
+   */
+  updateEntityAttributes(
+    accountId: number,
+    appName: string,
+    callerActionIdentifier: string,
+    entityAttributeOperations: EntityAttributeOperation[]
+  ): Promise<EntityAttributeOperation[]>;
+}

package/src/types/general.ts

@@ -5,16 +5,17 @@ export interface Resource {
   type: string;
   wrapperData?: object;
 }
-export type Action = string;
+
 export interface Context {
   accountId: number;
   userId: number;
 }
+
 export interface AuthorizationObject {
   resource_id?: Resource['id'];
   resource_type: Resource['type'];
   wrapper_data?: Resource['wrapperData'];
-  action: Action;
+  action: string;
 }
 export interface AuthorizationParams {
   authorizationObjects: AuthorizationObject[];

package/src/utils/validation.ts

@@ -0,0 +1,114 @@
+import { z } from 'zod';
+import { ArgumentError } from '../errors/argument-error';
+
+/**
+ * Utility class for common validation operations using Zod
+ */
+export class ValidationUtils {
+  /**
+   * Validates that a value is an integer
+   * @param value The value to validate
+   * @param fieldName The name of the field for error messages
+   * @throws ArgumentError if value is not an integer
+   */
+  static validateInteger(value: any, fieldName: string): void {
+    const schema = z.number().int();
+    try {
+      schema.parse(value);
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        throw new ArgumentError(`${fieldName} must be an integer, got: ${value}`);
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Validates that a value is a non-empty string
+   * @param value The value to validate
+   * @param fieldName The name of the field for error messages
+   * @throws ArgumentError if value is not a string or is empty
+   */
+  static validateString(value: any, fieldName: string): void {
+    const schema = z.string().min(1);
+    try {
+      schema.parse(value);
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        if (typeof value !== 'string') {
+          throw new ArgumentError(`${fieldName} must be a string, got: ${typeof value}`);
+        }
+        throw new ArgumentError(`${fieldName} must be a non-empty string`);
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Validates that a value is an array and optionally checks minimum length
+   * @param value The value to validate
+   * @param fieldName The name of the field for error messages
+   * @param minLength Minimum required length (default: 0)
+   * @returns The validated array
+   * @throws ArgumentError if value is not an array or doesn't meet minimum length
+   */
+  static validateArray<T>(value: any, fieldName: string, minLength = 0): T[] {
+    const schema = z.array(z.any()).min(minLength);
+    try {
+      return schema.parse(value) as T[];
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        if (!Array.isArray(value)) {
+          throw new ArgumentError(`${fieldName} must be an array`);
+        }
+        throw new ArgumentError(`${fieldName} must have at least ${minLength} items`);
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Validates that a value is one of the allowed enum values
+   * @param value The value to validate
+   * @param validValues Array of valid values
+   * @param fieldName The name of the field for error messages
+   * @returns The validated value as the enum type
+   * @throws ArgumentError if value is not in validValues
+   */
+  static validateEnum<T extends string>(value: string, validValues: readonly T[], fieldName: string): T {
+    const schema = z.enum(validValues as [T, ...T[]]);
+    try {
+      return schema.parse(value) as T;
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        throw new ArgumentError(`${fieldName} must be one of [${validValues.join(', ')}], got: ${value}`);
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Validates that all items in an array are strings
+   * @param value Array to validate
+   * @param fieldName The name of the field for error messages
+   * @throws ArgumentError if any item is not a string
+   */
+  static validateStringArray(value: any[], fieldName: string): void {
+    const schema = z.array(z.string());
+    try {
+      schema.parse(value);
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        const zodError = error as z.ZodError;
+        const firstError = zodError.issues[0];
+        // Check if it's an array item validation error
+        if (firstError.path.length > 0 && typeof firstError.path[0] === 'number') {
+          const index = firstError.path[0];
+          throw new ArgumentError(`All ${fieldName} must be strings, but item at index ${index} is not`);
+        }
+        throw new ArgumentError(`${fieldName} must be an array`);
+      }
+      throw error;
+    }
+  }
+}