@objectstack/plugin-security 4.0.4 → 4.0.5

package/src/field-masker.ts

@@ -1,75 +0,0 @@
-// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
-
-import type { FieldPermission } from '@objectstack/spec/security';
-
-/**
- * FieldMasker
- * 
- * Applies field-level security by stripping restricted fields from query results.
- */
-export class FieldMasker {
-  /**
-   * Mask fields in query results based on field permissions.
-   * Removes fields that the user does not have read access to.
-   */
-  maskResults(
-    results: any | any[],
-    fieldPermissions: Record<string, FieldPermission>,
-    _objectName: string
-  ): any | any[] {
-    // If no field permissions defined, return results as-is
-    if (Object.keys(fieldPermissions).length === 0) return results;
-
-    // Get list of non-readable fields
-    const hiddenFields = Object.entries(fieldPermissions)
-      .filter(([, perm]) => !perm.readable)
-      .map(([field]) => field);
-
-    if (hiddenFields.length === 0) return results;
-
-    if (Array.isArray(results)) {
-      return results.map(record => this.maskRecord(record, hiddenFields));
-    }
-
-    return this.maskRecord(results, hiddenFields);
-  }
-
-  /**
-   * Get non-editable fields for use in write operations.
-   * Returns a list of field names that should be stripped from incoming data.
-   */
-  getNonEditableFields(
-    fieldPermissions: Record<string, FieldPermission>
-  ): string[] {
-    return Object.entries(fieldPermissions)
-      .filter(([, perm]) => !perm.editable)
-      .map(([field]) => field);
-  }
-
-  /**
-   * Strip non-editable fields from write data.
-   */
-  stripNonEditableFields(
-    data: Record<string, any>,
-    fieldPermissions: Record<string, FieldPermission>
-  ): Record<string, any> {
-    const nonEditable = this.getNonEditableFields(fieldPermissions);
-    if (nonEditable.length === 0) return data;
-
-    const result = { ...data };
-    for (const field of nonEditable) {
-      delete result[field];
-    }
-    return result;
-  }
-
-  private maskRecord(record: any, hiddenFields: string[]): any {
-    if (!record || typeof record !== 'object') return record;
-
-    const result = { ...record };
-    for (const field of hiddenFields) {
-      delete result[field];
-    }
-    return result;
-  }
-}

package/src/index.ts

@@ -1,16 +0,0 @@
-// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
-
-/**
- * @objectstack/plugin-security
- * 
- * Security Plugin for ObjectStack
- * Provides RBAC, Row-Level Security (RLS), and Field-Level Security runtime.
- */
-
-export { SecurityPlugin } from './security-plugin.js';
-export { PermissionEvaluator } from './permission-evaluator.js';
-export { RLSCompiler } from './rls-compiler.js';
-export { FieldMasker } from './field-masker.js';
-
-// System Object Definitions (sys namespace)
-export { SysRole, SysPermissionSet } from './objects/index.js';

package/src/objects/index.ts

@@ -1,10 +0,0 @@
-// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
-
-/**
- * Security Plugin — System Object Definitions (sys namespace)
- *
- * Canonical ObjectSchema definitions for security-related system objects.
- */
-
-export { SysRole } from './sys-role.object.js';
-export { SysPermissionSet } from './sys-permission-set.object.js';

package/src/objects/sys-permission-set.object.ts

@@ -1,94 +0,0 @@
-// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
-
-import { ObjectSchema, Field } from '@objectstack/spec/data';
-
-/**
- * sys_permission_set — System Permission Set Object
- *
- * Named groupings of fine-grained permissions.
- * Permission sets can be assigned to roles or directly to users
- * for granular access control.
- *
- * @namespace sys
- */
-export const SysPermissionSet = ObjectSchema.create({
-  namespace: 'sys',
-  name: 'permission_set',
-  label: 'Permission Set',
-  pluralLabel: 'Permission Sets',
-  icon: 'lock',
-  isSystem: true,
-  description: 'Named permission groupings for fine-grained access control',
-  titleFormat: '{name}',
-  compactLayout: ['name', 'label', 'active'],
-  
-  fields: {
-    id: Field.text({
-      label: 'Permission Set ID',
-      required: true,
-      readonly: true,
-    }),
-    
-    created_at: Field.datetime({
-      label: 'Created At',
-      defaultValue: 'NOW()',
-      readonly: true,
-    }),
-    
-    updated_at: Field.datetime({
-      label: 'Updated At',
-      defaultValue: 'NOW()',
-      readonly: true,
-    }),
-    
-    name: Field.text({
-      label: 'API Name',
-      required: true,
-      searchable: true,
-      maxLength: 100,
-      description: 'Unique machine name for the permission set',
-    }),
-    
-    label: Field.text({
-      label: 'Display Name',
-      required: true,
-      maxLength: 255,
-    }),
-    
-    description: Field.textarea({
-      label: 'Description',
-      required: false,
-    }),
-    
-    object_permissions: Field.textarea({
-      label: 'Object Permissions',
-      required: false,
-      description: 'JSON-serialized object-level CRUD permissions',
-    }),
-    
-    field_permissions: Field.textarea({
-      label: 'Field Permissions',
-      required: false,
-      description: 'JSON-serialized field-level read/write permissions',
-    }),
-    
-    active: Field.boolean({
-      label: 'Active',
-      defaultValue: true,
-    }),
-  },
-  
-  indexes: [
-    { fields: ['name'], unique: true },
-    { fields: ['active'] },
-  ],
-  
-  enable: {
-    trackHistory: true,
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ['get', 'list', 'create', 'update', 'delete'],
-    trash: true,
-    mru: true,
-  },
-});

package/src/objects/sys-role.object.ts

@@ -1,93 +0,0 @@
-// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
-
-import { ObjectSchema, Field } from '@objectstack/spec/data';
-
-/**
- * sys_role — System Role Object
- *
- * RBAC role definition for the ObjectStack platform.
- * Roles group permissions and are assigned to users or members.
- *
- * @namespace sys
- */
-export const SysRole = ObjectSchema.create({
-  namespace: 'sys',
-  name: 'role',
-  label: 'Role',
-  pluralLabel: 'Roles',
-  icon: 'shield',
-  isSystem: true,
-  description: 'Role definitions for RBAC access control',
-  titleFormat: '{name}',
-  compactLayout: ['name', 'label', 'active'],
-  
-  fields: {
-    id: Field.text({
-      label: 'Role ID',
-      required: true,
-      readonly: true,
-    }),
-    
-    created_at: Field.datetime({
-      label: 'Created At',
-      defaultValue: 'NOW()',
-      readonly: true,
-    }),
-    
-    updated_at: Field.datetime({
-      label: 'Updated At',
-      defaultValue: 'NOW()',
-      readonly: true,
-    }),
-    
-    name: Field.text({
-      label: 'API Name',
-      required: true,
-      searchable: true,
-      maxLength: 100,
-      description: 'Unique machine name for the role (e.g. admin, editor, viewer)',
-    }),
-    
-    label: Field.text({
-      label: 'Display Name',
-      required: true,
-      maxLength: 255,
-    }),
-    
-    description: Field.textarea({
-      label: 'Description',
-      required: false,
-    }),
-    
-    permissions: Field.textarea({
-      label: 'Permissions',
-      required: false,
-      description: 'JSON-serialized array of permission strings',
-    }),
-    
-    active: Field.boolean({
-      label: 'Active',
-      defaultValue: true,
-    }),
-    
-    is_default: Field.boolean({
-      label: 'Default Role',
-      defaultValue: false,
-      description: 'Automatically assigned to new users',
-    }),
-  },
-  
-  indexes: [
-    { fields: ['name'], unique: true },
-    { fields: ['active'] },
-  ],
-  
-  enable: {
-    trackHistory: true,
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ['get', 'list', 'create', 'update', 'delete'],
-    trash: true,
-    mru: true,
-  },
-});

package/src/permission-evaluator.ts

@@ -1,112 +0,0 @@
-// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
-
-import type { PermissionSet, ObjectPermission, FieldPermission } from '@objectstack/spec/security';
-
-/**
- * Operation type mapping to permission checks
- */
-const OPERATION_TO_PERMISSION: Record<string, keyof ObjectPermission> = {
-  find: 'allowRead',
-  findOne: 'allowRead',
-  count: 'allowRead',
-  aggregate: 'allowRead',
-  insert: 'allowCreate',
-  update: 'allowEdit',
-  delete: 'allowDelete',
-};
-
-/**
- * PermissionEvaluator
- * 
- * Runtime evaluator for PermissionSet definitions.
- * Resolves aggregated permissions from roles to concrete allow/deny decisions.
- */
-export class PermissionEvaluator {
-  /**
-   * Check if an operation is allowed on an object for the given permission sets.
-   * Uses "most permissive" merging: if ANY permission set allows, it's allowed.
-   */
-  checkObjectPermission(
-    operation: string,
-    objectName: string,
-    permissionSets: PermissionSet[]
-  ): boolean {
-    const permKey = OPERATION_TO_PERMISSION[operation];
-    if (!permKey) return true; // Unknown operations are allowed by default
-
-    for (const ps of permissionSets) {
-      const objPerm = ps.objects?.[objectName];
-      if (objPerm) {
-        // Check if modifyAllRecords is set (super-user bypass for write ops)
-        if (['allowEdit', 'allowDelete'].includes(permKey) && objPerm.modifyAllRecords) {
-          return true;
-        }
-        // Check if viewAllRecords is set (super-user bypass for read ops)
-        if (permKey === 'allowRead' && (objPerm.viewAllRecords || objPerm.modifyAllRecords)) {
-          return true;
-        }
-        // Check the specific permission
-        if (objPerm[permKey]) {
-          return true;
-        }
-      }
-    }
-
-    return false;
-  }
-
-  /**
-   * Get the merged field permissions for an object.
-   * Returns a map of field names to their effective permissions.
-   * Uses "most permissive" merging.
-   */
-  getFieldPermissions(
-    objectName: string,
-    permissionSets: PermissionSet[]
-  ): Record<string, FieldPermission> {
-    const result: Record<string, FieldPermission> = {};
-
-    for (const ps of permissionSets) {
-      if (!ps.fields) continue;
-
-      for (const [key, perm] of Object.entries(ps.fields)) {
-        // Field keys are in format: "object_name.field_name"
-        if (!key.startsWith(`${objectName}.`)) continue;
-        const fieldName = key.substring(objectName.length + 1);
-
-        if (!result[fieldName]) {
-          result[fieldName] = { readable: false, editable: false };
-        }
-
-        // Most permissive merge
-        if (perm.readable) result[fieldName].readable = true;
-        if (perm.editable) result[fieldName].editable = true;
-      }
-    }
-
-    return result;
-  }
-
-  /**
-   * Resolve permission sets for a list of role names from metadata.
-   */
-  resolvePermissionSets(
-    roles: string[],
-    metadataService: any
-  ): PermissionSet[] {
-    const result: PermissionSet[] = [];
-
-    // Get all permission sets from metadata
-    const allPermSets = metadataService.list?.('permissions') || [];
-
-    for (const ps of allPermSets) {
-      // A permission set is relevant if it's a profile assigned to any of the user's roles,
-      // or if the role name matches the permission set name
-      if (roles.includes(ps.name)) {
-        result.push(ps);
-      }
-    }
-
-    return result;
-  }
-}

package/src/rls-compiler.ts

@@ -1,143 +0,0 @@
-// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
-
-import type { RowLevelSecurityPolicy } from '@objectstack/spec/security';
-import type { ExecutionContext } from '@objectstack/spec/kernel';
-
-/**
- * RLS User Context
- * Variables available for RLS expression evaluation.
- */
-interface RLSUserContext {
-  id?: string;
-  tenant_id?: string;
-  roles?: string[];
-  [key: string]: unknown;
-}
-
-/**
- * RLSCompiler
- * 
- * Compiles Row-Level Security policy expressions into query filters.
- * Converts `using` / `check` expressions into ObjectQL-compatible filter conditions.
- */
-export class RLSCompiler {
-  /**
-   * Compile RLS policies into a query filter for the given user context.
-   * Multiple policies for the same object/operation are OR-combined (any match allows access).
-   */
-  compileFilter(
-    policies: RowLevelSecurityPolicy[],
-    executionContext?: ExecutionContext
-  ): Record<string, unknown> | null {
-    if (policies.length === 0) return null;
-
-    const userCtx: RLSUserContext = {
-      id: executionContext?.userId,
-      tenant_id: executionContext?.tenantId,
-      roles: executionContext?.roles,
-    };
-
-    const filters: Record<string, unknown>[] = [];
-
-    for (const policy of policies) {
-      if (!policy.using) continue;
-      const filter = this.compileExpression(policy.using, userCtx);
-      if (filter) {
-        filters.push(filter);
-      }
-    }
-
-    if (filters.length === 0) return null;
-    if (filters.length === 1) return filters[0];
-
-    // Multiple policies: OR-combine (any policy allows access)
-    return { $or: filters };
-  }
-
-  /**
-   * Compile a single RLS expression into a query filter.
-   * 
-   * Supports simple expressions like:
-   * - "field_name = current_user.property"
-   * - "field_name IN (current_user.array_property)"
-   * - "field_name = 'literal_value'"
-   */
-  compileExpression(
-    expression: string,
-    userCtx: RLSUserContext
-  ): Record<string, unknown> | null {
-    if (!expression) return null;
-
-    // Handle simple equality: "field = current_user.property"
-    const eqMatch = expression.match(/^\s*(\w+)\s*=\s*current_user\.(\w+)\s*$/);
-    if (eqMatch) {
-      const [, field, prop] = eqMatch;
-      const value = userCtx[prop];
-      if (value === undefined) return null;
-      return { [field]: value };
-    }
-
-    // Handle literal equality: "field = 'value'"
-    const litMatch = expression.match(/^\s*(\w+)\s*=\s*'([^']*)'\s*$/);
-    if (litMatch) {
-      const [, field, value] = litMatch;
-      return { [field]: value };
-    }
-
-    // Handle IN: "field IN (current_user.array_property)"
-    const inMatch = expression.match(/^\s*(\w+)\s+IN\s+\(\s*current_user\.(\w+)\s*\)\s*$/i);
-    if (inMatch) {
-      const [, field, prop] = inMatch;
-      const value = userCtx[prop];
-      if (!Array.isArray(value)) return null;
-      return { [field]: { $in: value } };
-    }
-
-    // Unsupported expression: return null (no additional RLS filter applied).
-    // Note: callers should treat absence of RLS policies as "allow all" only when
-    // no policies are defined. If policies exist but cannot be compiled, the caller
-    // may want to deny access as a safety measure.
-    return null;
-  }
-
-  /**
-   * Get applicable RLS policies for a given object and operation.
-   */
-  getApplicablePolicies(
-    objectName: string,
-    operation: string,
-    allPolicies: RowLevelSecurityPolicy[]
-  ): RowLevelSecurityPolicy[] {
-    // Map engine operation to RLS operation type
-    const rlsOp = this.mapOperationToRLS(operation);
-
-    return allPolicies.filter(policy => {
-      // Check object match
-      if (policy.object !== objectName && policy.object !== '*') return false;
-
-      // Check operation match
-      if (policy.operation === 'all') return true;
-      if (policy.operation === rlsOp) return true;
-
-      return false;
-    });
-  }
-
-  private mapOperationToRLS(operation: string): string {
-    switch (operation) {
-      case 'find':
-      case 'findOne':
-      case 'count':
-      case 'aggregate':
-        return 'select';
-      case 'insert':
-        return 'insert';
-      case 'update':
-        return 'update';
-      case 'delete':
-        return 'delete';
-      default:
-        return 'select';
-    }
-  }
-}