@open-rlb/nestjs-amqp 1.0.28 → 2.0.1

package/README.md

@@ -22,7 +22,7 @@ nest g @open-rlb/nestjs-amqp:nest-add --gateway=false
 
 Opzioni: `--gateway` (on/off, default on), `--module` (default `src/app.module.ts`), `--main` (default `src/main.ts`), `--config` (default `config/config.yaml`), `--skills` (copia le skill, default on), `--skip-install`.
 
-Con `--gateway=false` la factory passa solo `{ options, topics, appOptions, authOptions }` e non importa `ProxyModule`/`HttpModule`; con il gateway attivo aggiunge anche `gatewayOptions`, `ProxyModule.forRoot([])`, `HttpModule` e il `WsAdapter` in `main.ts`. Lo schematic è idempotente (non tocca un `AppModule` che già importa `BrokerModule`).
+Con `--gateway=false` la factory passa a `BrokerModule` solo `{ options, topics, appOptions }` e non importa `ProxyModule`/`HttpModule`; con il gateway attivo aggiunge `ProxyModule.forRootAsync(...)` (che riceve `authOptions` + `gatewayOptions`), `HttpModule` e il `WsAdapter` in `main.ts`. Lo schematic è idempotente (non tocca un `AppModule` che già importa `BrokerModule`).
 
 > Documentazione completa. Indice:
 > [Architettura](#architettura) ·
@@ -112,14 +112,21 @@ import yamlConfig from './config/config.loader';
         options: config.get<RabbitMQConfig>('broker'),
         topics: config.get<BrokerTopic[]>('topics'),
         appOptions: config.get<AppConfig>('app'),
+      }),
+    }),
+    HttpModule,
+    // auth-providers + gateway config → ProxyModule (non più BrokerModule)
+    ProxyModule.forRootAsync({
+      imports: [ConfigModule],
+      inject: [ConfigService],
+      useFactory: (config: ConfigService) => ({
         authOptions: config.get<HandlerAuthConfig[]>('auth-providers'),
         gatewayOptions: config.get<GatewayConfig>('gateway'),
       }),
+      providers: [
+        // { provide: RLB_GTW_ACL_ROLE_SERVICE, useClass: MyAclService }, // solo se usi `roles`
+      ],
     }),
-    HttpModule,
-    ProxyModule.forRoot([
-      // { provide: RLB_GTW_ACL_ROLE_SERVICE, useClass: MyAclService }, // solo se usi `roles`
-    ]),
   ],
 })
 export class AppModule {}
@@ -291,6 +298,8 @@ auth-providers:
 
 Mapping dei claim: un token con `{ sub: "u_1", roles: [...] }` e `jwtMap: [sub:userId]`, `headerPrefix: X-GTW-AUTH-` produce l'header `X-GTW-AUTH-USERID = u_1` propagato al microservizio. Leggilo con `@BrokerParam('header', 'X-GTW-AUTH-USERID')`.
 
+> **Sicurezza dei provider**: `algorithms` è **obbligatorio** per `jwt`/`jwks` (se omesso la verifica è negata → previene l'algorithm-confusion); per `jwks` solo algoritmi asimmetrici (RS\*/ES\*/PS\*), `HS*`/`none` rifiutati. `str-compare` senza `secret` e `basic` senza `clientSecret` fanno **pass-through** (richiesta considerata autenticata — provider di fatto aperto/disabilitato; usalo consapevolmente). Senza `jwtMap` i claim vengono propagati non mappati: definiscilo sempre.
+
 ### `gateway`
 
 ```yaml
@@ -463,6 +472,9 @@ gateway:
     maxConnections: 5000             # limite connessioni per istanza
     maxSubscriptionsPerClient: 50    # limite sottoscrizioni per client
     heartbeatIntervalMs: 30000       # ping/pong per chiudere le connessioni morte
+    allowedOrigins:                  # allowlist Origin dell'handshake (omessa → tutte)
+      - https://app.example.com
+    maxMessageBytes: 16384           # scarta i frame client più grandi (default 16KB)
 
   events:
     - name: orders
@@ -508,8 +520,10 @@ ws.send(JSON.stringify({ action: 'unsubscribe', topic: 'orders' }));
 - **Auth per evento**: `events[].auth` indica il provider che verifica il token e mappa i claim per quell'evento; `requireAuth: false` rende l'auth opzionale (anonimi ammessi, claim mappati se il token c'è). Subscribe negato (`onError: unauthorized`) se l'auth è richiesta e il token non è valido.
 - **Authz per evento**: `roles` (ACL via `IAclRoleService`) sull'identità ricavata da `auth`.
 - **Scoping per-utente**: `scopeClaim` + `payloadKey` impediscono a un client di ricevere dati altrui tramite un `select` arbitrario (il filtro server-side è intersecato con quello del client, mai allargato). Se `scopeClaim` è impostato senza `payloadKey`, **nega tutto** (safe default).
+- **Sessione limitata dalla scadenza del token**: l'`exp` del JWT viene catturato alla prima verifica e la connessione viene chiusa (`1008 token expired`) appena scade — niente consegne dopo la scadenza.
+- **Origin allowlist**: `gateway.ws.allowedOrigins` rifiuta gli handshake cross-site (se omessa, tutte le origin sono accettate e lo si segnala a boot).
 - **Multi-istanza**: ogni istanza crea una coda AMQP **effimera ed esclusiva** (nome unico per processo) → tutte le repliche ricevono ogni evento e lo inoltrano ai rispettivi client.
-- **Hardening**: heartbeat ping/pong, limiti connessioni/sottoscrizioni, cleanup robusto su `close`/`error`.
+- **Hardening**: heartbeat ping/pong, limiti connessioni/sottoscrizioni, limite dimensione frame (`maxMessageBytes`), cleanup robusto su `close`/`error`.
 
 ---
 
@@ -519,6 +533,76 @@ ws.send(JSON.stringify({ action: 'unsubscribe', topic: 'orders' }));
 
 ---
 
+## Moduli opzionali `AclModule` e `GatewayAdminModule` (persistenza fornita dal consumer)
+
+Due moduli **opzionali** per gestire ACL e configurazione gateway a database. **La lib non dipende da Mongo/Redis**: definisce i servizi/cache + i **contratti repository (classi astratte)** e l'interfaccia `AclCacheStore`; **il consumer fornisce le implementazioni** (es. Mongo + Redis). Esempio completo e funzionante: **[`apps/gateway-2`](apps/gateway-2)** — per restare autonomo usa **repository in-RAM** (`InMemory*Repository`) e una **cache L2 in-RAM** (`InMemoryAclStore`), così gira solo con RabbitMQ; in produzione si rimpiazzano con implementazioni Mongo/Redis senza toccare la lib.
+
+### `AclModule` — ACL DB-backed con cache 2-livelli
+
+ACL (azioni → ruoli → grant per-utente) con `canUserDo` corretto e **cache RAM + L2 pluggable** (TTL diversi) e invalidazione che forza il DB.
+
+```ts
+import { AclModule, AclService, AclActionRepository, AclRoleRepository, AclGrantRepository,
+         RLB_ACL_CACHE_STORE, RLB_GTW_ACL_ROLE_SERVICE } from '@open-rlb/nestjs-amqp';
+
+@Module({
+  imports: [
+    BrokerModule.forRootAsync({ /* ... */ }),
+    // ProxyModule riceve auth/gateway config e usa AclService come IAclRoleService (AclModule è @Global):
+    ProxyModule.forRootAsync({
+      imports: [ConfigModule],
+      inject: [ConfigService],
+      useFactory: (config: ConfigService) => ({
+        authOptions: config.get<HandlerAuthConfig[]>('auth-providers'),
+        gatewayOptions: config.get<GatewayConfig>('gateway'),
+      }),
+      providers: [{ provide: RLB_GTW_ACL_ROLE_SERVICE, useExisting: AclService }],
+    }),
+    AclModule.forRoot(
+      [
+        ...aclMongoModelProviders,                                   // provider dei model Mongoose
+        { provide: AclActionRepository, useClass: MongoAclActionRepository },
+        { provide: AclRoleRepository,   useClass: MongoAclRoleRepository },
+        { provide: AclGrantRepository,  useClass: MongoAclGrantRepository },
+        InMemoryAclStore,                                            // implementa AclCacheStore
+        { provide: RLB_ACL_CACHE_STORE, useExisting: InMemoryAclStore },// L2 opzionale (omesso → solo RAM)
+      ],
+      { cache: { ramTtlMs: 30000, l2TtlSec: 600 } },
+    ),
+  ],
+})
+export class AppModule {}
+```
+
+- I handler sono esposti su `BrokerService` con topic **`rlb-acl`** (costante `ACL_TOPIC`): `acl-can-user-do` (rpc), `acl-grant`/`acl-revoke`, `acl-action-*`, `acl-role-*`. Definisci nel tuo `broker.topics` un topic `rlb-acl` e imposta negli auth-provider `aclTopic: rlb-acl`, `aclAction: acl-can-user-do`.
+- `AclService.canUserDo(topic, action, userId)` serve dalla cache; sul miss interroga il DB (`checkActions`: i ruoli del grant devono coprire l'azione) e ripopola RAM+L2.
+- **Invalidazione**: ogni mutazione (grant/role/action) svuota L1 e L2 → la prossima verifica pesca dal DB. Senza L2, la coerenza multi-istanza è limitata dal `ramTtlMs`.
+- **Cache L2 pluggable**: il consumer fornisce `{ provide: RLB_ACL_CACHE_STORE, useClass/useExisting }` che implementa `AclCacheStore` (`get/set/del/keys`). In `gateway-2` è `InMemoryAclStore` (mock in RAM, nessuna dipendenza esterna); in produzione plugga uno store condiviso (es. Redis).
+
+### `GatewayAdminModule` — CRUD rotte/auth + liste + metriche
+
+CRUD di rotte HTTP e auth-providers (repo forniti dal consumer), con **liste esportabili** per il gateway (in aggiunta allo YAML), **metriche a contatori** e **ordinamento path static-before-param**.
+
+```ts
+import { GatewayAdminModule, HttpPathRepository, AuthProviderRepository, HttpMetricRepository } from '@open-rlb/nestjs-amqp';
+
+GatewayAdminModule.forRoot([
+  ...gatewayAdminMongoModelProviders,
+  { provide: HttpPathRepository,     useClass: MongoHttpPathRepository },
+  { provide: AuthProviderRepository, useClass: MongoAuthProviderRepository },
+  { provide: HttpMetricRepository,   useClass: MongoHttpMetricRepository },
+]);
+```
+
+Handler su topic **`rlb-gateway-admin`** (`GATEWAY_ADMIN_TOPIC`):
+- CRUD rotte: `gw-path-create/update/delete/get/list`; **`gw-path-export` (rpc)** → tutte le rotte abilitate come `PathDefinition[]` **ordinate** (statiche prima delle parametriche). Punta `gateway.loadConfig.paths` a `{ topic: rlb-gateway-admin, action: gw-path-export }`.
+- CRUD auth: `gw-auth-create/.../list`; **`gw-auth-export` (rpc)** → `HandlerAuthConfig[]` abilitati (per frontend / merge lato gateway).
+- Metriche: **`gw-metrics-track` (event)** incrementa i contatori per `(method, route)`; **`gw-metrics-get` (rpc)** restituisce count/errori/durata media per il frontend.
+
+> **Ordinamento path**: `gw-path-export` usa `orderPaths()` così `resources/path` precede `resources/:varName` — necessario perché Express, registrando prima la rotta parametrica, intercetterebbe il segmento statico.
+
+---
+
 ## API `BrokerService`
 
 | Metodo                                                       | Uso                                              |
@@ -576,7 +660,7 @@ Questi sono i punti che causano più frequentemente bug silenziosi. **Leggili pr
 
 ### Auth / ACL
 
-14. **`roles` su una path o evento richiede un `IAclRoleService`** registrato via `RLB_GTW_ACL_ROLE_SERVICE` in `ProxyModule.forRoot([...])`. L'auth-provider deve definire `aclTopic`, `aclAction`, `uidClaim`, `usernameClaim`, e `uidClaim` deve corrispondere a un `dest` del `jwtMap`. Mancante → throw.
+14. **`roles` su una path o evento richiede un `IAclRoleService`** registrato via `RLB_GTW_ACL_ROLE_SERVICE` in `ProxyModule.forRootAsync({ providers: [...] })`. L'auth-provider deve definire `aclTopic`, `aclAction`, `uidClaim`, `usernameClaim`, e `uidClaim` deve corrispondere a un `dest` del `jwtMap`. Mancante → throw. Nota: `authOptions`/`gatewayOptions` si passano a `ProxyModule`, non a `BrokerModule`.
 15. **Gli header propagati sono uppercase e prefissati** (`${headerPrefix}${DEST}`): leggi `X-GTW-AUTH-USERID`, non `userId`.
 
 ### WebSocket

package/amqp-lib/amqp/connection.d.ts

@@ -26,7 +26,7 @@ export declare class AmqpConnection implements OnApplicationShutdown, OnModuleIn
     get managedConnection(): AmqpConnectionManager;
     get configuration(): RabbitMQConfig;
     get channels(): Record<string, ConfirmChannel>;
-    get managedChannels(): Record<string, import("amqp-connection-manager/dist/types/ChannelWrapper").default>;
+    get managedChannels(): Record<string, import("node_modules/amqp-connection-manager/dist/types/ChannelWrapper").default>;
     get connected(): boolean;
     init(): Promise<void>;
     request<T>(requestOptions: RequestOptions): Promise<T>;

package/common/errors.d.ts

@@ -0,0 +1,13 @@
+export declare class BrokerHttpError extends Error {
+    constructor(message?: string);
+}
+export declare class BadRequestError extends BrokerHttpError {
+}
+export declare class UnauthorizedError extends BrokerHttpError {
+}
+export declare class ForbiddenError extends BrokerHttpError {
+}
+export declare class NotFoundError extends BrokerHttpError {
+}
+export declare class InvalidParamsErrror extends BrokerHttpError {
+}

package/common/errors.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InvalidParamsErrror = exports.NotFoundError = exports.ForbiddenError = exports.UnauthorizedError = exports.BadRequestError = exports.BrokerHttpError = void 0;
+class BrokerHttpError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = new.target.name;
+    }
+}
+exports.BrokerHttpError = BrokerHttpError;
+class BadRequestError extends BrokerHttpError {
+}
+exports.BadRequestError = BadRequestError;
+class UnauthorizedError extends BrokerHttpError {
+}
+exports.UnauthorizedError = UnauthorizedError;
+class ForbiddenError extends BrokerHttpError {
+}
+exports.ForbiddenError = ForbiddenError;
+class NotFoundError extends BrokerHttpError {
+}
+exports.NotFoundError = NotFoundError;
+class InvalidParamsErrror extends BrokerHttpError {
+}
+exports.InvalidParamsErrror = InvalidParamsErrror;
+//# sourceMappingURL=errors.js.map

package/common/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../libs/rlb-nestjs-amqp/src/common/errors.ts"],"names":[],"mappings":";;;AAKA,MAAa,eAAgB,SAAQ,KAAK;IACxC,YAAY,OAAgB;QAC1B,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;IAC9B,CAAC;CACF;AALD,0CAKC;AAED,MAAa,eAAgB,SAAQ,eAAe;CAAI;AAAxD,0CAAwD;AACxD,MAAa,iBAAkB,SAAQ,eAAe;CAAI;AAA1D,8CAA0D;AAC1D,MAAa,cAAe,SAAQ,eAAe;CAAI;AAAvD,wCAAuD;AACvD,MAAa,aAAc,SAAQ,eAAe;CAAI;AAAtD,sCAAsD;AAEtD,MAAa,mBAAoB,SAAQ,eAAe;CAAI;AAA5D,kDAA4D"}

package/common/flatten.util.d.ts

@@ -0,0 +1 @@
+export declare function flattenObject(input: Record<string, any>, prefix?: string, out?: Record<string, any>): Record<string, any>;

package/common/flatten.util.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.flattenObject = flattenObject;
+function flattenObject(input, prefix = '', out = {}) {
+    for (const key of Object.keys(input ?? {})) {
+        const value = input[key];
+        const path = prefix ? `${prefix}.${key}` : key;
+        if (isPlainObject(value)) {
+            flattenObject(value, path, out);
+        }
+        else {
+            out[path] = value;
+        }
+    }
+    return out;
+}
+function isPlainObject(value) {
+    if (value === null || typeof value !== 'object')
+        return false;
+    if (Array.isArray(value))
+        return false;
+    if (value instanceof Date)
+        return false;
+    if (typeof Buffer !== 'undefined' && Buffer.isBuffer(value))
+        return false;
+    const proto = Object.getPrototypeOf(value);
+    return proto === Object.prototype || proto === null;
+}
+//# sourceMappingURL=flatten.util.js.map

package/common/flatten.util.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"flatten.util.js","sourceRoot":"","sources":["../../libs/rlb-nestjs-amqp/src/common/flatten.util.ts"],"names":[],"mappings":";;AAKA,sCAWC;AAXD,SAAgB,aAAa,CAAC,KAA0B,EAAE,MAAM,GAAG,EAAE,EAAE,MAA2B,EAAE;IAClG,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC,EAAE,CAAC;QAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC;QACzB,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;QAC/C,IAAI,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,aAAa,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;QACpB,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,aAAa,CAAC,KAAU;IAC/B,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC9D,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,KAAK,YAAY,IAAI;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAE1E,MAAM,KAAK,GAAG,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;IAC3C,OAAO,KAAK,KAAK,MAAM,CAAC,SAAS,IAAI,KAAK,KAAK,IAAI,CAAC;AACtD,CAAC"}

package/common/index.d.ts

@@ -0,0 +1,3 @@
+export * from './errors';
+export * from './flatten.util';
+export * from './pagination.model';

package/common/index.js

@@ -0,0 +1,20 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./errors"), exports);
+__exportStar(require("./flatten.util"), exports);
+__exportStar(require("./pagination.model"), exports);
+//# sourceMappingURL=index.js.map

package/common/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../libs/rlb-nestjs-amqp/src/common/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,2CAAyB;AACzB,iDAA+B;AAC/B,qDAAmC"}

package/common/pagination.model.d.ts

@@ -0,0 +1,6 @@
+export interface PaginationModel<T> {
+    page: number;
+    limit: number;
+    total: number;
+    data: T[];
+}

package/common/pagination.model.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=pagination.model.js.map

package/common/pagination.model.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pagination.model.js","sourceRoot":"","sources":["../../libs/rlb-nestjs-amqp/src/common/pagination.model.ts"],"names":[],"mappings":""}

package/index.d.ts

@@ -1,4 +1,7 @@
+export * from './common';
+export * from './modules/acl';
 export * from './modules/broker/index';
 export * from './modules/broker/services/utils.service';
+export * from './modules/gateway-admin';
 export * from './modules/proxy/index';
 export * from './modules/remote-config/index';

package/index.js

@@ -14,8 +14,11 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./common"), exports);
+__exportStar(require("./modules/acl"), exports);
 __exportStar(require("./modules/broker/index"), exports);
 __exportStar(require("./modules/broker/services/utils.service"), exports);
+__exportStar(require("./modules/gateway-admin"), exports);
 __exportStar(require("./modules/proxy/index"), exports);
 __exportStar(require("./modules/remote-config/index"), exports);
 //# sourceMappingURL=index.js.map

package/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../libs/rlb-nestjs-amqp/src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,yDAAuC;AACvC,0EAAwD;AACxD,wDAAsC;AACtC,gEAA8C"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../libs/rlb-nestjs-amqp/src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,2CAAyB;AACzB,gDAA8B;AAC9B,yDAAuC;AACvC,0EAAwD;AACxD,0DAAwC;AACxC,wDAAsC;AACtC,gEAA8C"}

package/modules/acl/acl.module.d.ts

@@ -0,0 +1,5 @@
+import { DynamicModule, Provider } from '@nestjs/common';
+import { AclModuleOptions } from './config/acl.config';
+export declare class AclModule {
+    static forRoot(providers: Provider[], options?: AclModuleOptions): DynamicModule;
+}

package/modules/acl/acl.module.js

@@ -0,0 +1,36 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var AclModule_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AclModule = void 0;
+const common_1 = require("@nestjs/common");
+const const_1 = require("./const");
+const acl_cache_service_1 = require("./cache/acl-cache.service");
+const acl_management_service_1 = require("./services/acl-management.service");
+const acl_service_1 = require("./services/acl.service");
+const SERVICES = [acl_cache_service_1.AclCacheService, acl_service_1.AclService, acl_management_service_1.AclManagementService];
+const MODULE_EXPORTS = [acl_service_1.AclService, acl_cache_service_1.AclCacheService];
+let AclModule = AclModule_1 = class AclModule {
+    static forRoot(providers, options = {}) {
+        return {
+            module: AclModule_1,
+            global: true,
+            providers: [
+                { provide: const_1.RLB_ACL_OPTIONS, useValue: options },
+                ...providers,
+                ...SERVICES,
+            ],
+            exports: MODULE_EXPORTS,
+        };
+    }
+};
+exports.AclModule = AclModule;
+exports.AclModule = AclModule = AclModule_1 = __decorate([
+    (0, common_1.Module)({})
+], AclModule);
+//# sourceMappingURL=acl.module.js.map

package/modules/acl/acl.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"acl.module.js","sourceRoot":"","sources":["../../../libs/rlb-nestjs-amqp/src/modules/acl/acl.module.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,2CAAiE;AAEjE,mCAA0C;AAC1C,iEAA4D;AAC5D,8EAAyE;AACzE,wDAAoD;AAEpD,MAAM,QAAQ,GAAe,CAAC,mCAAe,EAAE,wBAAU,EAAE,6CAAoB,CAAC,CAAC;AACjF,MAAM,cAAc,GAAG,CAAC,wBAAU,EAAE,mCAAe,CAAC,CAAC;AAG9C,IAAM,SAAS,iBAAf,MAAM,SAAS;IAOpB,MAAM,CAAC,OAAO,CAAC,SAAqB,EAAE,UAA4B,EAAE;QAClE,OAAO;YACL,MAAM,EAAE,WAAS;YACjB,MAAM,EAAE,IAAI;YACZ,SAAS,EAAE;gBACT,EAAE,OAAO,EAAE,uBAAe,EAAE,QAAQ,EAAE,OAAO,EAAE;gBAC/C,GAAG,SAAS;gBACZ,GAAG,QAAQ;aACZ;YACD,OAAO,EAAE,cAAc;SACxB,CAAC;IACJ,CAAC;CACF,CAAA;AAnBY,8BAAS;oBAAT,SAAS;IADrB,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,SAAS,CAmBrB"}

package/modules/acl/cache/acl-cache.service.d.ts

@@ -0,0 +1,15 @@
+import { AclModuleOptions } from '../config/acl.config';
+import { AclCacheStore } from './cache-store';
+export declare class AclCacheService {
+    private readonly store?;
+    private readonly logger;
+    private readonly ram;
+    private readonly ramTtlMs;
+    private readonly l2TtlSec;
+    constructor(options: AclModuleOptions, store?: AclCacheStore);
+    private key;
+    get(userId: string, topic: string, action: string): Promise<boolean | null>;
+    set(userId: string, topic: string, action: string, value: boolean): Promise<void>;
+    invalidate(userId?: string): Promise<void>;
+    invalidateLocalRam(userId?: string): void;
+}

package/modules/acl/cache/acl-cache.service.js

@@ -0,0 +1,98 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var AclCacheService_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AclCacheService = void 0;
+const common_1 = require("@nestjs/common");
+const const_1 = require("../const");
+let AclCacheService = AclCacheService_1 = class AclCacheService {
+    constructor(options, store) {
+        this.store = store;
+        this.logger = new common_1.Logger(AclCacheService_1.name);
+        this.ram = new Map();
+        this.ramTtlMs = options.cache?.ramTtlMs ?? 30_000;
+        this.l2TtlSec = options.cache?.l2TtlSec ?? 600;
+    }
+    key(userId, topic, action) {
+        return `acl/${userId}/${topic}/${action}`;
+    }
+    async get(userId, topic, action) {
+        const key = this.key(userId, topic, action);
+        const local = this.ram.get(key);
+        if (local && local.exp > Date.now())
+            return local.v;
+        if (local)
+            this.ram.delete(key);
+        if (this.store) {
+            try {
+                const cached = await this.store.get(key);
+                if (cached === '1' || cached === '0') {
+                    const value = cached === '1';
+                    this.ram.set(key, { v: value, exp: Date.now() + this.ramTtlMs });
+                    return value;
+                }
+            }
+            catch (error) {
+                this.logger.warn(`ACL L2 cache read failed for ${key}: ${error?.message}`);
+            }
+        }
+        return null;
+    }
+    async set(userId, topic, action, value) {
+        const key = this.key(userId, topic, action);
+        this.ram.set(key, { v: value, exp: Date.now() + this.ramTtlMs });
+        if (this.store) {
+            try {
+                await this.store.set(key, value ? '1' : '0', this.l2TtlSec);
+            }
+            catch (error) {
+                this.logger.warn(`ACL L2 cache write failed for ${key}: ${error?.message}`);
+            }
+        }
+    }
+    async invalidate(userId) {
+        this.invalidateLocalRam(userId);
+        if (!this.store)
+            return;
+        const pattern = userId ? `acl/${userId}/*` : 'acl/*';
+        try {
+            const keys = await this.store.keys(pattern);
+            if (keys.length)
+                await this.store.del(keys);
+        }
+        catch (error) {
+            this.logger.warn(`ACL L2 cache invalidation failed for ${pattern}: ${error?.message}`);
+        }
+    }
+    invalidateLocalRam(userId) {
+        if (!userId) {
+            this.ram.clear();
+            return;
+        }
+        const prefix = `acl/${userId}/`;
+        for (const key of this.ram.keys()) {
+            if (key.startsWith(prefix))
+                this.ram.delete(key);
+        }
+    }
+};
+exports.AclCacheService = AclCacheService;
+exports.AclCacheService = AclCacheService = AclCacheService_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __param(0, (0, common_1.Inject)(const_1.RLB_ACL_OPTIONS)),
+    __param(1, (0, common_1.Optional)()),
+    __param(1, (0, common_1.Inject)(const_1.RLB_ACL_CACHE_STORE)),
+    __metadata("design:paramtypes", [Object, Object])
+], AclCacheService);
+//# sourceMappingURL=acl-cache.service.js.map

package/modules/acl/cache/acl-cache.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"acl-cache.service.js","sourceRoot":"","sources":["../../../../libs/rlb-nestjs-amqp/src/modules/acl/cache/acl-cache.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,2CAAsE;AAEtE,oCAAgE;AAMzD,IAAM,eAAe,uBAArB,MAAM,eAAe;IAM1B,YAC2B,OAAyB,EACT,KAAsC;QAArB,UAAK,GAAL,KAAK,CAAgB;QAPhE,WAAM,GAAG,IAAI,eAAM,CAAC,iBAAe,CAAC,IAAI,CAAC,CAAC;QAC1C,QAAG,GAAG,IAAI,GAAG,EAAoB,CAAC;QAQjD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,KAAK,EAAE,QAAQ,IAAI,MAAM,CAAC;QAClD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,KAAK,EAAE,QAAQ,IAAI,GAAG,CAAC;IACjD,CAAC;IAEO,GAAG,CAAC,MAAc,EAAE,KAAa,EAAE,MAAc;QACvD,OAAO,OAAO,MAAM,IAAI,KAAK,IAAI,MAAM,EAAE,CAAC;IAC5C,CAAC;IAGD,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,KAAa,EAAE,MAAc;QACrD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAC5C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,KAAK,IAAI,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,KAAK,CAAC,CAAC,CAAC;QACpD,IAAI,KAAK;YAAE,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACzC,IAAI,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;oBACrC,MAAM,KAAK,GAAG,MAAM,KAAK,GAAG,CAAC;oBAC7B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;oBACjE,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gCAAgC,GAAG,KAAK,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;YAC7E,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,KAAa,EAAE,MAAc,EAAE,KAAc;QACrE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAC5C,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;QACjE,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC9D,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,iCAAiC,GAAG,KAAK,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;YAC9E,CAAC;QACH,CAAC;IACH,CAAC;IAGD,KAAK,CAAC,UAAU,CAAC,MAAe;QAC9B,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAChC,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO;QACxB,MAAM,OAAO,GAAG,MAAM,CAAC,CAAC,CAAC,OAAO,MAAM,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC5C,IAAI,IAAI,CAAC,MAAM;gBAAE,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC9C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wCAAwC,OAAO,KAAK,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QACzF,CAAC;IACH,CAAC;IAGD,kBAAkB,CAAC,MAAe;QAChC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;YACjB,OAAO;QACT,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,MAAM,GAAG,CAAC;QAChC,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;YAClC,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC;gBAAE,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;CACF,CAAA;AA3EY,0CAAe;0BAAf,eAAe;IAD3B,IAAA,mBAAU,GAAE;IAQR,WAAA,IAAA,eAAM,EAAC,uBAAe,CAAC,CAAA;IACvB,WAAA,IAAA,iBAAQ,GAAE,CAAA;IAAE,WAAA,IAAA,eAAM,EAAC,2BAAmB,CAAC,CAAA;;GAR/B,eAAe,CA2E3B"}

package/modules/acl/cache/cache-store.d.ts

@@ -0,0 +1,6 @@
+export interface AclCacheStore {
+    get(key: string): Promise<string | null | undefined>;
+    set(key: string, value: string, ttlSeconds: number): Promise<void>;
+    del(keys: string[]): Promise<void>;
+    keys(pattern: string): Promise<string[]>;
+}

package/modules/acl/cache/cache-store.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=cache-store.js.map

package/modules/acl/cache/cache-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache-store.js","sourceRoot":"","sources":["../../../../libs/rlb-nestjs-amqp/src/modules/acl/cache/cache-store.ts"],"names":[],"mappings":""}

package/modules/acl/config/acl.config.d.ts

@@ -0,0 +1,8 @@
+export interface AclCacheOptions {
+    ramTtlMs?: number;
+    l2TtlSec?: number;
+}
+export interface AclModuleOptions {
+    cache?: AclCacheOptions;
+    topic?: string;
+}

package/modules/acl/config/acl.config.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=acl.config.js.map

package/modules/acl/config/acl.config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"acl.config.js","sourceRoot":"","sources":["../../../../libs/rlb-nestjs-amqp/src/modules/acl/config/acl.config.ts"],"names":[],"mappings":""}

package/modules/acl/const.d.ts

@@ -0,0 +1,17 @@
+export declare const ACL_TOPIC = "rlb-acl";
+export declare const RLB_ACL_OPTIONS = "RLB_ACL_OPTIONS";
+export declare const RLB_ACL_CACHE_STORE = "RLB_ACL_CACHE_STORE";
+export declare const ACL_ACTIONS: {
+    readonly canUserDo: "acl-can-user-do";
+    readonly grant: "acl-grant";
+    readonly revoke: "acl-revoke";
+    readonly invalidate: "acl-invalidate";
+    readonly actionCreate: "acl-action-create";
+    readonly actionUpdate: "acl-action-update";
+    readonly actionDelete: "acl-action-delete";
+    readonly actionList: "acl-action-list";
+    readonly roleCreate: "acl-role-create";
+    readonly roleUpdate: "acl-role-update";
+    readonly roleDelete: "acl-role-delete";
+    readonly roleList: "acl-role-list";
+};

package/modules/acl/const.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ACL_ACTIONS = exports.RLB_ACL_CACHE_STORE = exports.RLB_ACL_OPTIONS = exports.ACL_TOPIC = void 0;
+exports.ACL_TOPIC = 'rlb-acl';
+exports.RLB_ACL_OPTIONS = 'RLB_ACL_OPTIONS';
+exports.RLB_ACL_CACHE_STORE = 'RLB_ACL_CACHE_STORE';
+exports.ACL_ACTIONS = {
+    canUserDo: 'acl-can-user-do',
+    grant: 'acl-grant',
+    revoke: 'acl-revoke',
+    invalidate: 'acl-invalidate',
+    actionCreate: 'acl-action-create',
+    actionUpdate: 'acl-action-update',
+    actionDelete: 'acl-action-delete',
+    actionList: 'acl-action-list',
+    roleCreate: 'acl-role-create',
+    roleUpdate: 'acl-role-update',
+    roleDelete: 'acl-role-delete',
+    roleList: 'acl-role-list',
+};
+//# sourceMappingURL=const.js.map

package/modules/acl/const.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"const.js","sourceRoot":"","sources":["../../../libs/rlb-nestjs-amqp/src/modules/acl/const.ts"],"names":[],"mappings":";;;AAEa,QAAA,SAAS,GAAG,SAAS,CAAC;AAEtB,QAAA,eAAe,GAAG,iBAAiB,CAAC;AAEpC,QAAA,mBAAmB,GAAG,qBAAqB,CAAC;AAG5C,QAAA,WAAW,GAAG;IACzB,SAAS,EAAE,iBAAiB;IAC5B,KAAK,EAAE,WAAW;IAClB,MAAM,EAAE,YAAY;IACpB,UAAU,EAAE,gBAAgB;IAC5B,YAAY,EAAE,mBAAmB;IACjC,YAAY,EAAE,mBAAmB;IACjC,YAAY,EAAE,mBAAmB;IACjC,UAAU,EAAE,iBAAiB;IAC7B,UAAU,EAAE,iBAAiB;IAC7B,UAAU,EAAE,iBAAiB;IAC7B,UAAU,EAAE,iBAAiB;IAC7B,QAAQ,EAAE,eAAe;CACjB,CAAC"}

package/modules/acl/index.d.ts

@@ -0,0 +1,11 @@
+export * from './acl.module';
+export * from './cache/acl-cache.service';
+export * from './cache/cache-store';
+export * from './config/acl.config';
+export * from './const';
+export * from './models';
+export * from './repository/acl-action.repository';
+export * from './repository/acl-grant.repository';
+export * from './repository/acl-role.repository';
+export * from './services/acl-management.service';
+export * from './services/acl.service';

package/modules/acl/index.js

@@ -0,0 +1,28 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./acl.module"), exports);
+__exportStar(require("./cache/acl-cache.service"), exports);
+__exportStar(require("./cache/cache-store"), exports);
+__exportStar(require("./config/acl.config"), exports);
+__exportStar(require("./const"), exports);
+__exportStar(require("./models"), exports);
+__exportStar(require("./repository/acl-action.repository"), exports);
+__exportStar(require("./repository/acl-grant.repository"), exports);
+__exportStar(require("./repository/acl-role.repository"), exports);
+__exportStar(require("./services/acl-management.service"), exports);
+__exportStar(require("./services/acl.service"), exports);
+//# sourceMappingURL=index.js.map

package/modules/acl/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../libs/rlb-nestjs-amqp/src/modules/acl/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,+CAA6B;AAC7B,4DAA0C;AAC1C,sDAAoC;AACpC,sDAAoC;AACpC,0CAAwB;AACxB,2CAAyB;AACzB,qEAAmD;AACnD,oEAAkD;AAClD,mEAAiD;AACjD,oEAAkD;AAClD,yDAAuC"}