@nu-art/permissions-backend 0.401.9 → 0.500.6

package/index.d.ts

@@ -1,4 +1,15 @@
 export * from './core/module-pack.js';
-export * from './modules/index.js';
-export * from './_entity.js';
-export * from './types.js';
+export * from './core/function-permission-registry.js';
+export * from './assertion-types.js';
+export * from './RequirePermission.js';
+export * from './modules/ModuleBE_Permissions.js';
+export * from './modules/ModuleBE_PermissionsAssert.js';
+export * from './_entity/permission-scope/ModuleBE_PermissionScopeDB.js';
+export * from './_entity/permission-scope/module-pack.js';
+export * from './_entity/user-permissions/ModuleBE_UserPermissionsDB.js';
+export * from './_entity/user-permissions/ModuleBE_UserPermissionsAPI.js';
+export * from './_entity/user-permissions/module-pack.js';
+export * from './_entity/access-group/ModuleBE_AccessGroupDB.js';
+export * from './_entity/access-group/module-pack.js';
+export * from './document-access-enforcement.js';
+export * from './document-access-api.js';

package/index.js

@@ -17,6 +17,17 @@
  * limitations under the License.
  */
 export * from './core/module-pack.js';
-export * from './modules/index.js';
-export * from './_entity.js';
-export * from './types.js';
+export * from './core/function-permission-registry.js';
+export * from './assertion-types.js';
+export * from './RequirePermission.js';
+export * from './modules/ModuleBE_Permissions.js';
+export * from './modules/ModuleBE_PermissionsAssert.js';
+export * from './_entity/permission-scope/ModuleBE_PermissionScopeDB.js';
+export * from './_entity/permission-scope/module-pack.js';
+export * from './_entity/user-permissions/ModuleBE_UserPermissionsDB.js';
+export * from './_entity/user-permissions/ModuleBE_UserPermissionsAPI.js';
+export * from './_entity/user-permissions/module-pack.js';
+export * from './_entity/access-group/ModuleBE_AccessGroupDB.js';
+export * from './_entity/access-group/module-pack.js';
+export * from './document-access-enforcement.js';
+export * from './document-access-api.js';

package/modules/ModuleBE_Permissions.d.ts

@@ -1,77 +1,68 @@
-import { Module, TypedMap } from '@nu-art/ts-common';
-import { DB_PermissionGroup, DB_PermissionProject, DefaultDef_Group, SessionData_Permissions } from '@nu-art/permissions-shared';
-import { BaseSessionClaims, CollectSessionData } from '@nu-art/user-account-backend';
-import { PerformProjectSetup } from '@nu-art/thunderstorm-backend/modules/action-processor/Action_SetupProject';
-import { DefaultDef_Project } from '../types.js';
-export interface CollectPermissionsProjects {
-    __collectPermissionsProjects(): DefaultDef_Project;
+import { Module, UniqueId } from '@nu-art/ts-common';
+import type { DB_Prototype } from '@nu-art/db-api-shared';
+import type { ModuleBE_BaseDB } from '@nu-art/db-api-backend';
+import type { DatabaseDef_AccessGroup, DocumentAccessInner } from '@nu-art/permissions-shared';
+import { type PerformProjectSetup, type SetupTask } from '@nu-art/action-processor-backend';
+import type { OnAccessGroupChanged } from '../_entity/access-group/ModuleBE_AccessGroupDB.js';
+import { FirebaseRef } from '@nu-art/firebase-backend';
+import { type AccessContextResolver } from '../document-access-enforcement.js';
+import { OnAccountDeleted, OnUserLogin } from '@nu-art/user-account-backend';
+import { SafeDB_Account } from '@nu-art/user-account-shared';
+export interface ResolveAdditionalGroupMemberships {
+    __resolveAdditionalGroupMemberships(accountId: string, context: 'register' | 'login'): Promise<UniqueId[]>;
 }
-export declare const PermissionGroup_Permissions_SuperAdmin: DefaultDef_Group;
-export declare const PermissionGroup_Permissions_Viewer: DefaultDef_Group;
-export declare const PermissionGroup_Permissions_Editor: DefaultDef_Group;
-export declare const PermissionGroup_Account_Manager: DefaultDef_Group;
-export declare const PermissionGroup_Account_Admin: DefaultDef_Group;
-export declare const PermissionGroup_Account_Viewer: DefaultDef_Group;
-export declare const PermissionGroups_Permissions: DefaultDef_Group[];
-export declare const PermissionProject_Permissions: DefaultDef_Project;
-declare class ModuleBE_Permissions_Class extends Module implements CollectSessionData<SessionData_Permissions>, PerformProjectSetup {
+export type ServiceAccountConfig = {
+    readonly scopes: string[];
+    readonly enabled: boolean;
+    readonly systemOnly: boolean;
+};
+export declare const ServiceAccountId_Bootstrap = "bootstrap-admin";
+type Config = {
+    serviceAccounts: Record<string, ServiceAccountConfig>;
+};
+export declare const GroupId_AppDefault: import("@nu-art/db-api-shared").DB_UniqueId<"permissions--access-groups">;
+export declare const GroupId_PermissionsAdmin: import("@nu-art/db-api-shared").DB_UniqueId<"permissions--access-groups">;
+export declare const PermissionsInfraGroupIds: Record<keyof DocumentAccessInner, DatabaseDef_AccessGroup['id']>;
+export declare const SetupTaskKey_PermissionsGroups: import("@nu-art/action-processor-backend").SetupTaskKey;
+declare class ModuleBE_Permissions_Class extends Module<Config> implements PerformProjectSetup, OnAccessGroupChanged, OnUserLogin, OnAccountDeleted {
+    private adminGrantFlagRef;
+    private readonly accessResolvers;
+    private readonly moduleScopeKeys;
+    constructor();
+    private readonly permissionsAccessResolver;
     protected init(): void;
-    __collectSessionData(data: BaseSessionClaims): Promise<SessionData_Permissions>;
-    getUserPermissionMap: (userGroups: DB_PermissionGroup[]) => Promise<TypedMap<number>>;
-    toggleStrictMode: () => Promise<void>;
-    __performProjectSetup(): {
-        priority: number;
-        processor: () => Promise<void>;
-    };
-    createPermissionProjects(projects: DefaultDef_Project[]): Promise<void>;
-    /**
-     * Creates All the DB_PermissionProject
-     *
-     * @param projects - predefined permissions projects
-     */
-    createProjects(projects: DefaultDef_Project[]): Promise<TypedMap<DB_PermissionProject>>;
-    /**
-     * Creates All the DB_PermissionDomains
-     *
-     * @param projects - predefined permissions projects
-     * @param map_nameToDBProject
-     */
-    private createDomains;
-    /**
-     * Creates All the DB_PermissionAccessLevel
-     *
-     * @param projects - predefined permissions projects
-     * @param map_nameToDbDomain
-     */
-    private createAccessLevels;
-    /**
-     * Creates All the DB_PermissionGroup
-     *
-     * @param projects - predefined permissions projects
-     * @param map_nameToDbDomain
-     * @param domainNameToLevelNameToDBAccessLevel
-     */
-    private createGroups;
-    /**
-     * Creates All the DB_PermissionApi
-     *
-     * @param projects - predefined permissions projects
-     * @param domainNameToLevelNameToDBAccessLevel
-     */
-    private createApis;
-    /**
-     * Creates permission keys associated with the given projects.
-     *
-     * @param projects - An array of projects.
-     */
-    private createPermissionsKeys;
-    /**
-     * If no "Super Admin" user is defined in the system!
-     * The first user to press the create project button will become the "Super Admin" of the system
-     *
-     * If a "Super Admin" already exists in the system, a 403 will be thrown
-     */
-    private assignSuperAdmin;
+    setAccessContextResolver<Database extends DB_Prototype>(dbModule: ModuleBE_BaseDB<Database>, resolver: AccessContextResolver<Database>, scopeKeys?: string[]): void;
+    private wireDocumentAccessToAllModules;
+    getAdminGrantFlagRef(): FirebaseRef<boolean>;
+    __performProjectSetup(): SetupTask[];
+    ensureDefinedGroups(): Promise<void>;
+    __onUserLogin(account: SafeDB_Account): Promise<void>;
+    __onAccountDeleted(account: SafeDB_Account): Promise<void>;
+    private ensurePersonalAccessGroup;
+    private addToDefaultGroup;
+    private promoteIfNoAdmin;
+    private checkAdminGrantFlag;
+    private resolveAdditionalGroupMemberships;
+    recomputePermissionsForUsers(accountIds: UniqueId[]): Promise<void>;
+    recomputePermissionsForAllUsers(): Promise<void>;
+    private materializeFromGroups;
+    __onAccessGroupChanged(changedGroupIds: UniqueId[]): Promise<void>;
+    rematerializeForGroups(changedGroupIds: UniqueId[]): Promise<void>;
+    private walkGroupGraphUp;
+    private resolveScopeIdsToStrings;
+    private deduplicateScopeEntries;
+    runAsServiceAccount<R>(saId: string, action: () => Promise<R>): Promise<R>;
+    private resolveSAAccessIds;
+    private resolveBootstrapAccessIds;
+    private resolveBootstrapScopes;
+    private ensureBootstrapSAAccessGroup;
+    private ensureServiceAccountAccessGroups;
+    private ensurePermissionsInfraAccessGroups;
+    private ensureScopeEntities;
+    private ensureDefaultGroup;
+    private ensurePermissionsAdminGroup;
+    private ensureAppDefinedGroups;
+    private syncPersonalGroupsForExistingAccounts;
 }
 export declare const ModuleBE_Permissions: ModuleBE_Permissions_Class;
 export {};