@prosopo/user-access-policy 2.6.4 → 3.1.5

package/dist/cjs/index.cjs

@@ -1,28 +1,27 @@
 "use strict";
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const apiRulePaths = require("./rules/api/apiRulePaths.cjs");
-const apiRuleRoutesProvider = require("./rules/api/apiRuleRoutesProvider.cjs");
-const getExpressApiRuleRateLimits = require("./rules/api/getExpressApiRuleRateLimits.cjs");
-const blacklistRulesInspector = require("./rules/blacklistRulesInspector.cjs");
-const imageCaptchaConfigRulesResolver = require("./rules/imageCaptchaConfigRulesResolver.cjs");
-const rulesMongooseStorage = require("./rules/mongoose/rulesMongooseStorage.cjs");
-const getRuleMongooseSchema = require("./rules/mongoose/schemas/getRuleMongooseSchema.cjs");
-const createBlacklistInspector = (rulesStorage, logger) => {
-  return new blacklistRulesInspector.BlacklistRulesInspector(rulesStorage, logger);
-};
-const createImageCaptchaConfigResolver = (rulesStorage, logger) => {
-  return new imageCaptchaConfigRulesResolver.ImageCaptchaConfigRulesResolver(rulesStorage, logger);
-};
+const accessPolicy = require("./accessPolicy.cjs");
+const accessPolicyResolver = require("./accessPolicyResolver.cjs");
+const accessRuleApiRoutes = require("./api/accessRuleApiRoutes.cjs");
+const deleteAllRulesEndpoint = require("./api/deleteAllRulesEndpoint.cjs");
+const deleteRulesEndpoint = require("./api/deleteRulesEndpoint.cjs");
+const insertRulesEndpoint = require("./api/insertRulesEndpoint.cjs");
+const redisAccessRules = require("./redis/redisAccessRules.cjs");
+const redisAccessRulesIndex = require("./redis/redisAccessRulesIndex.cjs");
 const createApiRuleRoutesProvider = (rulesStorage) => {
-  return new apiRuleRoutesProvider.ApiRuleRoutesProvider(rulesStorage);
-};
-const createMongooseRulesStorage = (logger, readingModel, writingModel = null) => {
-  return new rulesMongooseStorage.RulesMongooseStorage(logger, readingModel, writingModel);
+  return new accessRuleApiRoutes.AccessRuleApiRoutes(rulesStorage);
 };
-exports.apiRulePaths = apiRulePaths.apiRulePaths;
-exports.getExpressApiRuleRateLimits = getExpressApiRuleRateLimits.getExpressApiRuleRateLimits;
-exports.getRuleMongooseSchema = getRuleMongooseSchema.getRuleMongooseSchema;
+exports.AccessPolicyType = accessPolicy.AccessPolicyType;
+exports.accessPolicySchema = accessPolicy.accessPolicySchema;
+exports.policyScopeSchema = accessPolicy.policyScopeSchema;
+exports.userScopeInputSchema = accessPolicy.userScopeInputSchema;
+exports.ScopeMatch = accessPolicyResolver.ScopeMatch;
+exports.createAccessPolicyResolver = accessPolicyResolver.createAccessPolicyResolver;
+exports.accessRuleApiPaths = accessRuleApiRoutes.accessRuleApiPaths;
+exports.getExpressApiRuleRateLimits = accessRuleApiRoutes.getExpressApiRuleRateLimits;
+exports.deleteAllRulesEndpointSchema = deleteAllRulesEndpoint.deleteAllRulesEndpointSchema;
+exports.deleteRulesEndpointSchema = deleteRulesEndpoint.deleteRulesEndpointSchema;
+exports.insertRulesEndpointSchema = insertRulesEndpoint.insertRulesEndpointSchema;
+exports.createRedisAccessRulesStorage = redisAccessRules.createRedisAccessRulesStorage;
+exports.createRedisAccessRulesIndex = redisAccessRulesIndex.createRedisAccessRulesIndex;
 exports.createApiRuleRoutesProvider = createApiRuleRoutesProvider;
-exports.createBlacklistInspector = createBlacklistInspector;
-exports.createImageCaptchaConfigResolver = createImageCaptchaConfigResolver;
-exports.createMongooseRulesStorage = createMongooseRulesStorage;

package/dist/cjs/redis/redisAccessRules.cjs

@@ -0,0 +1,140 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const util = require("node:util");
+const accessRules = require("../accessRules.cjs");
+const redisAccessRulesIndex = require("./redisAccessRulesIndex.cjs");
+function _interopNamespaceDefault(e) {
+  const n = Object.create(null, { [Symbol.toStringTag]: { value: "Module" } });
+  if (e) {
+    for (const k in e) {
+      if (k !== "default") {
+        const d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: () => e[k]
+        });
+      }
+    }
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+const util__namespace = /* @__PURE__ */ _interopNamespaceDefault(util);
+const createRedisAccessRulesReader = (client, logger) => {
+  return {
+    findRules: async (filter) => {
+      const query = redisAccessRulesIndex.getRedisAccessRulesQuery(filter);
+      let searchReply;
+      try {
+        searchReply = await client.ft.search(
+          redisAccessRulesIndex.accessRulesRedisIndexName,
+          query,
+          redisAccessRulesIndex.accessRulesRedisSearchOptions
+        );
+        logger.debug(() => ({
+          msg: "Executed search query",
+          data: {
+            inspect: util__namespace.inspect(
+              {
+                filter,
+                searchReply,
+                query
+              },
+              { depth: null }
+            )
+          }
+        }));
+      } catch (e) {
+        logger.error(() => ({
+          err: e,
+          data: {
+            inspect: util__namespace.inspect(
+              {
+                query,
+                filter
+              },
+              {
+                depth: null
+              }
+            )
+          },
+          msg: "failed to execute search query"
+        }));
+        return [];
+      }
+      return extractAccessRulesFromSearchReply(searchReply, logger);
+    },
+    findRuleIds: async (filter) => {
+      const query = redisAccessRulesIndex.getRedisAccessRulesQuery(filter);
+      let searchReply;
+      try {
+        searchReply = await client.ft.searchNoContent(
+          redisAccessRulesIndex.accessRulesRedisIndexName,
+          query,
+          redisAccessRulesIndex.accessRulesRedisSearchOptions
+        );
+      } catch (e) {
+        logger.error(() => ({
+          err: e,
+          data: {
+            inspect: util__namespace.inspect(
+              {
+                query,
+                filter
+              },
+              {
+                depth: null
+              }
+            )
+          },
+          msg: "Failed to execute search query for rule IDs"
+        }));
+        return [];
+      }
+      return searchReply.documents;
+    }
+  };
+};
+const createRedisAccessRulesWriter = (client) => {
+  return {
+    insertRule: async (rule, expirationSeconds) => {
+      const ruleKey = redisAccessRulesIndex.getRedisAccessRuleKey(rule);
+      const ruleValue = redisAccessRulesIndex.getRedisAccessRuleValue(rule);
+      await client.hSet(ruleKey, ruleValue);
+      if (expirationSeconds) {
+        await client.expire(ruleKey, expirationSeconds);
+      }
+      return ruleKey;
+    },
+    deleteRules: async (ruleIds) => void await client.del(ruleIds),
+    deleteAllRules: async () => {
+      const keys = await client.keys(`${redisAccessRulesIndex.accessRuleRedisKeyPrefix}*`);
+      return keys.length > 0 ? await client.del(keys) : 0;
+    }
+  };
+};
+const createRedisAccessRulesStorage = (client, logger) => {
+  return {
+    ...createRedisAccessRulesReader(client, logger),
+    ...createRedisAccessRulesWriter(client)
+  };
+};
+const extractAccessRulesFromSearchReply = (searchReply, logger) => {
+  const accessRules$1 = [];
+  searchReply.documents.map(({ id, value: document }) => {
+    const parsedDocument = accessRules.accessRuleSchema.safeParse(document);
+    if (parsedDocument.success) {
+      accessRules$1.push(parsedDocument.data);
+    } else {
+      logger.debug(() => ({
+        msg: "Failed to parse access rule from search reply",
+        id,
+        error: parsedDocument.error
+      }));
+    }
+  });
+  return accessRules$1;
+};
+exports.createRedisAccessRulesReader = createRedisAccessRulesReader;
+exports.createRedisAccessRulesStorage = createRedisAccessRulesStorage;
+exports.createRedisAccessRulesWriter = createRedisAccessRulesWriter;

package/dist/cjs/redis/redisAccessRulesIndex.cjs

@@ -0,0 +1,103 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const crypto = require("node:crypto");
+const search = require("@redis/search");
+const accessPolicyResolver = require("../accessPolicyResolver.cjs");
+const redisIndex = require("./redisIndex.cjs");
+const accessRulesRedisIndexName = "index:user-access-rules";
+const accessRuleRedisKeyPrefix = "uar:";
+const accessRuleContentHashAlgorithm = "md5";
+const accessRulesIndex = {
+  name: accessRulesRedisIndexName,
+  /**
+   * Note on the field type decision
+   *
+   * TAG is designed for the exact value matching
+   * TEXT is designed for the word-based and pattern matching
+   *
+   * For our goal TAG fits perfectly and, more performant
+   */
+  schema: {
+    clientId: {
+      type: search.SCHEMA_FIELD_TYPE.TAG,
+      // necessary to make possible use of the ismissing() function on this field in the search
+      INDEXMISSING: true
+    },
+    numericIpMaskMin: search.SCHEMA_FIELD_TYPE.NUMERIC,
+    numericIpMaskMax: search.SCHEMA_FIELD_TYPE.NUMERIC,
+    userId: search.SCHEMA_FIELD_TYPE.TAG,
+    numericIp: search.SCHEMA_FIELD_TYPE.NUMERIC,
+    ja4Hash: search.SCHEMA_FIELD_TYPE.TAG,
+    headersHash: search.SCHEMA_FIELD_TYPE.TAG,
+    userAgentHash: search.SCHEMA_FIELD_TYPE.TAG
+  },
+  // the satisfy statement is to guarantee that the keys are right
+  options: {
+    ON: "HASH",
+    PREFIX: accessRuleRedisKeyPrefix
+  }
+};
+const createRedisAccessRulesIndex = async (client) => redisIndex.createRedisIndex(client, accessRulesIndex);
+const numericIndexFields = [
+  "numericIp",
+  "numericIpMaskMin",
+  "numericIpMaskMax"
+];
+const greedyFieldComparisons = {
+  numericIp: (value) => `( @numericIp:[${value}] | ( @numericIpMaskMin:[-inf ${value}] @numericIpMaskMax:[${value} +inf] ) )`
+};
+const accessRulesRedisSearchOptions = {
+  // #2 is a required option when the 'ismissing()' function is in the query body
+  DIALECT: 2
+};
+const getRedisAccessRulesQuery = (filter) => {
+  const { policyScope, userScope } = filter;
+  const policyScopeFilter = getPolicyScopeQuery(
+    policyScope,
+    filter.policyScopeMatch
+  );
+  if (userScope && Object.keys(userScope).length > 0) {
+    const userScopeFilter = getUserScopeQuery(userScope, filter.userScopeMatch);
+    return `${policyScopeFilter} ( ${userScopeFilter} )`;
+  }
+  return policyScopeFilter ? policyScopeFilter : "*";
+};
+const getPolicyScopeQuery = (policyScope, scopeMatchType) => {
+  const clientId = policyScope?.clientId;
+  if ("string" === typeof clientId) {
+    return accessPolicyResolver.ScopeMatch.Exact === scopeMatchType ? `@clientId:{${clientId}}` : `( @clientId:{${clientId}} | ismissing(@clientId) )`;
+  }
+  return accessPolicyResolver.ScopeMatch.Exact === scopeMatchType ? "ismissing(@clientId)" : "";
+};
+const getUserScopeQuery = (userScope, scopeMatchType) => {
+  const scopeEntries = Object.entries(userScope).filter(([_, value]) => value !== void 0);
+  const scopeJoinType = accessPolicyResolver.ScopeMatch.Exact === scopeMatchType ? " " : " | ";
+  return scopeEntries.map(
+    ([scopeFieldName, scopeFieldValue]) => getUserScopeFieldQuery(scopeFieldName, scopeFieldValue, scopeMatchType)
+  ).join(scopeJoinType);
+};
+const getUserScopeFieldQuery = (fieldName, fieldValue, matchType) => {
+  if (accessPolicyResolver.ScopeMatch.Greedy === matchType && "function" === typeof greedyFieldComparisons[fieldName]) {
+    return greedyFieldComparisons[fieldName](fieldValue);
+  }
+  return numericIndexFields.includes(fieldName) ? `@${fieldName}:[${fieldValue}]` : `@${fieldName}:{${fieldValue}}`;
+};
+const getRedisAccessRuleKey = (rule) => accessRuleRedisKeyPrefix + crypto.createHash(accessRuleContentHashAlgorithm).update(
+  JSON.stringify(
+    rule,
+    (key, value) => (
+      // JSON.stringify can't handle BigInt itself: throws "Do not know how to serialize a BigInt"
+      "bigint" === typeof value ? value.toString() : value
+    )
+  )
+).digest("hex");
+const getRedisAccessRuleValue = (rule) => Object.fromEntries(
+  Object.entries(rule).map(([key, value]) => [key, String(value)])
+);
+exports.accessRuleRedisKeyPrefix = accessRuleRedisKeyPrefix;
+exports.accessRulesRedisIndexName = accessRulesRedisIndexName;
+exports.accessRulesRedisSearchOptions = accessRulesRedisSearchOptions;
+exports.createRedisAccessRulesIndex = createRedisAccessRulesIndex;
+exports.getRedisAccessRuleKey = getRedisAccessRuleKey;
+exports.getRedisAccessRuleValue = getRedisAccessRuleValue;
+exports.getRedisAccessRulesQuery = getRedisAccessRulesQuery;

package/dist/cjs/redis/redisIndex.cjs

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const crypto = require("node:crypto");
+const redisIndexHashesRecordKey = "_index_hashes";
+const redisIndexHashAlgorithm = "sha256";
+const createRedisIndex = async (client, index) => {
+  const indexHash = createIndexHash(index);
+  const existingIndexes = await client.ft._LIST();
+  if (existingIndexes.includes(index.name)) {
+    const existingIndexHash = await fetchIndexHash(client, index.name);
+    if (indexHash === existingIndexHash) {
+      return;
+    }
+    await client.ft.dropIndex(index.name);
+  }
+  await client.ft.create(index.name, index.schema, index.options);
+  await saveIndexHash(client, index.name, indexHash);
+};
+const createIndexHash = (index) => crypto.createHash(redisIndexHashAlgorithm).update(JSON.stringify(index)).digest("hex");
+const fetchIndexHash = async (client, indexName) => client.hGet(redisIndexHashesRecordKey, indexName);
+const saveIndexHash = async (client, indexName, indexHash) => client.hSet(redisIndexHashesRecordKey, indexName, indexHash);
+exports.createRedisIndex = createRedisIndex;

package/dist/cjs/util.cjs

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const crypto = require("node:crypto");
+const hashUserAgent = (userAgent) => crypto.createHash("sha256").update(userAgent).digest("hex");
+exports.hashUserAgent = hashUserAgent;

package/dist/index.d.ts

@@ -1,17 +1,15 @@
 import type { ApiRoutesProvider } from "@prosopo/api-route";
-import type { Logger } from "@prosopo/common";
-import type { Model } from "mongoose";
-import type { BlacklistInspector } from "./blacklistInspector.js";
-import { apiRulePaths } from "./rules/api/apiRulePaths.js";
-import { getExpressApiRuleRateLimits } from "./rules/api/getExpressApiRuleRateLimits.js";
-import type { ApiInsertManyRulesArgsOutputSchema, ApiInsertManyRulesArgsSchema } from "./rules/api/insertMany/apiInsertManyRulesArgsSchema.js";
-import { ImageCaptchaConfigRulesResolver } from "./rules/imageCaptchaConfigRulesResolver.js";
-import { getRuleMongooseSchema } from "./rules/mongoose/schemas/getRuleMongooseSchema.js";
-import type { Rule } from "./rules/rule/rule.js";
-import type { RulesStorage } from "./rules/storage/rulesStorage.js";
-declare const createBlacklistInspector: (rulesStorage: RulesStorage, logger: Logger) => BlacklistInspector;
-declare const createImageCaptchaConfigResolver: (rulesStorage: RulesStorage, logger: Logger) => ImageCaptchaConfigRulesResolver;
-declare const createApiRuleRoutesProvider: (rulesStorage: RulesStorage) => ApiRoutesProvider;
-declare const createMongooseRulesStorage: (logger: Logger, readingModel: Model<Rule> | null, writingModel?: Model<Rule> | null) => RulesStorage;
-export { type Rule, type RulesStorage, type BlacklistInspector, type ApiInsertManyRulesArgsSchema, type ApiInsertManyRulesArgsOutputSchema, createMongooseRulesStorage, createImageCaptchaConfigResolver, createBlacklistInspector, createApiRuleRoutesProvider, getRuleMongooseSchema, getExpressApiRuleRateLimits, apiRulePaths, };
+import { type AccessPolicy, AccessPolicyType, type AccessRuleExtended, type PolicyScope, type UserScope, type UserScopeApiInput, type UserScopeApiOutput, accessPolicySchema, policyScopeSchema } from "#policy/accessPolicy.js";
+import { type ResolveAccessPolicy, createAccessPolicyResolver } from "#policy/accessPolicyResolver.js";
+import { type PolicyFilter, ScopeMatch } from "#policy/accessPolicyResolver.js";
+import type { AccessRule, AccessRulesStorage } from "#policy/accessRules.js";
+import { accessRuleApiPaths, getExpressApiRuleRateLimits } from "#policy/api/accessRuleApiRoutes.js";
+import { deleteAllRulesEndpointSchema } from "#policy/api/deleteAllRulesEndpoint.js";
+import { type DeleteRulesEndpointSchemaInput, type DeleteRulesEndpointSchemaOutput, deleteRulesEndpointSchema } from "#policy/api/deleteRulesEndpoint.js";
+import { type InsertManyRulesEndpointInputSchema, type InsertManyRulesEndpointOutputSchema, insertRulesEndpointSchema } from "#policy/api/insertRulesEndpoint.js";
+import { createRedisAccessRulesStorage } from "#policy/redis/redisAccessRules.js";
+import { createRedisAccessRulesIndex } from "#policy/redis/redisAccessRulesIndex.js";
+import { userScopeInputSchema } from "./accessPolicy.js";
+export declare const createApiRuleRoutesProvider: (rulesStorage: AccessRulesStorage) => ApiRoutesProvider;
+export { type AccessPolicy, type PolicyScope, type AccessRulesStorage, type ResolveAccessPolicy, type PolicyFilter, type DeleteRulesEndpointSchemaOutput, type DeleteRulesEndpointSchemaInput, type InsertManyRulesEndpointInputSchema, type InsertManyRulesEndpointOutputSchema, type AccessRule, type UserScope, type UserScopeApiInput, type UserScopeApiOutput, type AccessRuleExtended, createAccessPolicyResolver, AccessPolicyType, ScopeMatch, createRedisAccessRulesIndex, createRedisAccessRulesStorage, accessRuleApiPaths, accessPolicySchema, policyScopeSchema, insertRulesEndpointSchema, deleteAllRulesEndpointSchema, deleteRulesEndpointSchema, getExpressApiRuleRateLimits, userScopeInputSchema, };
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,UAAU,CAAC;AACtC,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAClE,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAE3D,OAAO,EAAE,2BAA2B,EAAE,MAAM,4CAA4C,CAAC;AACzF,OAAO,KAAK,EACX,kCAAkC,EAClC,4BAA4B,EAC5B,MAAM,wDAAwD,CAAC;AAEhE,OAAO,EAAE,+BAA+B,EAAE,MAAM,4CAA4C,CAAC;AAE7F,OAAO,EAAE,qBAAqB,EAAE,MAAM,mDAAmD,CAAC;AAC1F,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iCAAiC,CAAC;AAEpE,QAAA,MAAM,wBAAwB,iBACf,YAAY,UAClB,MAAM,KACZ,kBAEF,CAAC;AAEF,QAAA,MAAM,gCAAgC,iBACvB,YAAY,UAClB,MAAM,KACZ,+BAEF,CAAC;AAEF,QAAA,MAAM,2BAA2B,iBAClB,YAAY,KACxB,iBAEF,CAAC;AAEF,QAAA,MAAM,0BAA0B,WACvB,MAAM,gBACA,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,iBAClB,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,KAC9B,YAEF,CAAC;AAEF,OAAO,EACN,KAAK,IAAI,EACT,KAAK,YAAY,EACjB,KAAK,kBAAkB,EACvB,KAAK,4BAA4B,EACjC,KAAK,kCAAkC,EACvC,0BAA0B,EAC1B,gCAAgC,EAChC,wBAAwB,EACxB,2BAA2B,EAC3B,qBAAqB,EACrB,2BAA2B,EAC3B,YAAY,GACZ,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EACN,KAAK,YAAY,EACjB,gBAAgB,EAChB,KAAK,kBAAkB,EACvB,KAAK,WAAW,EAChB,KAAK,SAAS,EACd,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACvB,kBAAkB,EAClB,iBAAiB,EACjB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACN,KAAK,mBAAmB,EACxB,0BAA0B,EAC1B,MAAM,iCAAiC,CAAC;AACzC,OAAO,EAAE,KAAK,YAAY,EAAE,UAAU,EAAE,MAAM,iCAAiC,CAAC;AAChF,OAAO,KAAK,EAAE,UAAU,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC7E,OAAO,EAEN,kBAAkB,EAClB,2BAA2B,EAC3B,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,4BAA4B,EAAE,MAAM,uCAAuC,CAAC;AACrF,OAAO,EACN,KAAK,8BAA8B,EACnC,KAAK,+BAA+B,EACpC,yBAAyB,EACzB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EACN,KAAK,kCAAkC,EACvC,KAAK,mCAAmC,EACxC,yBAAyB,EACzB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,6BAA6B,EAAE,MAAM,mCAAmC,CAAC;AAClF,OAAO,EAAE,2BAA2B,EAAE,MAAM,wCAAwC,CAAC;AACrF,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAEzD,eAAO,MAAM,2BAA2B,iBACzB,kBAAkB,KAC9B,iBAEF,CAAC;AAEF,OAAO,EACN,KAAK,YAAY,EACjB,KAAK,WAAW,EAChB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACxB,KAAK,YAAY,EACjB,KAAK,+BAA+B,EACpC,KAAK,8BAA8B,EACnC,KAAK,kCAAkC,EACvC,KAAK,mCAAmC,EACxC,KAAK,UAAU,EACf,KAAK,SAAS,EACd,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,0BAA0B,EAC1B,gBAAgB,EAChB,UAAU,EAEV,2BAA2B,EAC3B,6BAA6B,EAE7B,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,yBAAyB,EACzB,4BAA4B,EAC5B,yBAAyB,EACzB,2BAA2B,EAC3B,oBAAoB,GACpB,CAAC"}

package/dist/index.js

@@ -1,21 +1,15 @@
-import { apiRulePaths } from "./rules/api/apiRulePaths.js";
-import { ApiRuleRoutesProvider } from "./rules/api/apiRuleRoutesProvider.js";
-import { getExpressApiRuleRateLimits } from "./rules/api/getExpressApiRuleRateLimits.js";
-import { BlacklistRulesInspector } from "./rules/blacklistRulesInspector.js";
-import { ImageCaptchaConfigRulesResolver } from "./rules/imageCaptchaConfigRulesResolver.js";
-import { RulesMongooseStorage } from "./rules/mongoose/rulesMongooseStorage.js";
-import { getRuleMongooseSchema } from "./rules/mongoose/schemas/getRuleMongooseSchema.js";
-const createBlacklistInspector = (rulesStorage, logger) => {
-    return new BlacklistRulesInspector(rulesStorage, logger);
-};
-const createImageCaptchaConfigResolver = (rulesStorage, logger) => {
-    return new ImageCaptchaConfigRulesResolver(rulesStorage, logger);
-};
-const createApiRuleRoutesProvider = (rulesStorage) => {
-    return new ApiRuleRoutesProvider(rulesStorage);
-};
-const createMongooseRulesStorage = (logger, readingModel, writingModel = null) => {
-    return new RulesMongooseStorage(logger, readingModel, writingModel);
-};
-export { createMongooseRulesStorage, createImageCaptchaConfigResolver, createBlacklistInspector, createApiRuleRoutesProvider, getRuleMongooseSchema, getExpressApiRuleRateLimits, apiRulePaths, };
+import { AccessPolicyType, accessPolicySchema, policyScopeSchema, } from "#policy/accessPolicy.js";
+import { createAccessPolicyResolver, } from "#policy/accessPolicyResolver.js";
+import { ScopeMatch } from "#policy/accessPolicyResolver.js";
+import { AccessRuleApiRoutes, accessRuleApiPaths, getExpressApiRuleRateLimits, } from "#policy/api/accessRuleApiRoutes.js";
+import { deleteAllRulesEndpointSchema } from "#policy/api/deleteAllRulesEndpoint.js";
+import { deleteRulesEndpointSchema, } from "#policy/api/deleteRulesEndpoint.js";
+import { insertRulesEndpointSchema, } from "#policy/api/insertRulesEndpoint.js";
+import { createRedisAccessRulesStorage } from "#policy/redis/redisAccessRules.js";
+import { createRedisAccessRulesIndex } from "#policy/redis/redisAccessRulesIndex.js";
+import { userScopeInputSchema } from "./accessPolicy.js";
+export const createApiRuleRoutesProvider = (rulesStorage) => {
+    return new AccessRuleApiRoutes(rulesStorage);
+};
+export { createAccessPolicyResolver, AccessPolicyType, ScopeMatch, createRedisAccessRulesIndex, createRedisAccessRulesStorage, accessRuleApiPaths, accessPolicySchema, policyScopeSchema, insertRulesEndpointSchema, deleteAllRulesEndpointSchema, deleteRulesEndpointSchema, getExpressApiRuleRateLimits, userScopeInputSchema, };
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAkBA,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sCAAsC,CAAC;AAC7E,OAAO,EAAE,2BAA2B,EAAE,MAAM,4CAA4C,CAAC;AAKzF,OAAO,EAAE,uBAAuB,EAAE,MAAM,oCAAoC,CAAC;AAC7E,OAAO,EAAE,+BAA+B,EAAE,MAAM,4CAA4C,CAAC;AAC7F,OAAO,EAAE,oBAAoB,EAAE,MAAM,0CAA0C,CAAC;AAChF,OAAO,EAAE,qBAAqB,EAAE,MAAM,mDAAmD,CAAC;AAI1F,MAAM,wBAAwB,GAAG,CAChC,YAA0B,EAC1B,MAAc,EACO,EAAE;IACvB,OAAO,IAAI,uBAAuB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;AAC1D,CAAC,CAAC;AAEF,MAAM,gCAAgC,GAAG,CACxC,YAA0B,EAC1B,MAAc,EACoB,EAAE;IACpC,OAAO,IAAI,+BAA+B,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;AAClE,CAAC,CAAC;AAEF,MAAM,2BAA2B,GAAG,CACnC,YAA0B,EACN,EAAE;IACtB,OAAO,IAAI,qBAAqB,CAAC,YAAY,CAAC,CAAC;AAChD,CAAC,CAAC;AAEF,MAAM,0BAA0B,GAAG,CAClC,MAAc,EACd,YAAgC,EAChC,eAAmC,IAAI,EACxB,EAAE;IACjB,OAAO,IAAI,oBAAoB,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC;AACrE,CAAC,CAAC;AAEF,OAAO,EAMN,0BAA0B,EAC1B,gCAAgC,EAChC,wBAAwB,EACxB,2BAA2B,EAC3B,qBAAqB,EACrB,2BAA2B,EAC3B,YAAY,GACZ,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAeA,OAAO,EAEN,gBAAgB,EAMhB,kBAAkB,EAClB,iBAAiB,GACjB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAEN,0BAA0B,GAC1B,MAAM,iCAAiC,CAAC;AACzC,OAAO,EAAqB,UAAU,EAAE,MAAM,iCAAiC,CAAC;AAEhF,OAAO,EACN,mBAAmB,EACnB,kBAAkB,EAClB,2BAA2B,GAC3B,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,4BAA4B,EAAE,MAAM,uCAAuC,CAAC;AACrF,OAAO,EAGN,yBAAyB,GACzB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAGN,yBAAyB,GACzB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,6BAA6B,EAAE,MAAM,mCAAmC,CAAC;AAClF,OAAO,EAAE,2BAA2B,EAAE,MAAM,wCAAwC,CAAC;AACrF,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAEzD,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAC1C,YAAgC,EACZ,EAAE;IACtB,OAAO,IAAI,mBAAmB,CAAC,YAAY,CAAC,CAAC;AAC9C,CAAC,CAAC;AAEF,OAAO,EAeN,0BAA0B,EAC1B,gBAAgB,EAChB,UAAU,EAEV,2BAA2B,EAC3B,6BAA6B,EAE7B,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,yBAAyB,EACzB,4BAA4B,EAC5B,yBAAyB,EACzB,2BAA2B,EAC3B,oBAAoB,GACpB,CAAC"}

package/dist/redis/redisAccessRules.d.ts

@@ -0,0 +1,7 @@
+import type { Logger } from "@prosopo/common";
+import type { RedisClientType } from "redis";
+import { type AccessRulesReader, type AccessRulesStorage, type AccessRulesWriter } from "#policy/accessRules.js";
+export declare const createRedisAccessRulesReader: (client: RedisClientType, logger: Logger) => AccessRulesReader;
+export declare const createRedisAccessRulesWriter: (client: RedisClientType) => AccessRulesWriter;
+export declare const createRedisAccessRulesStorage: (client: RedisClientType, logger: Logger) => AccessRulesStorage;
+//# sourceMappingURL=redisAccessRules.d.ts.map

package/dist/redis/redisAccessRules.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redisAccessRules.d.ts","sourceRoot":"","sources":["../../src/redis/redisAccessRules.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAG9C,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AAE7C,OAAO,EAEN,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EAEtB,MAAM,wBAAwB,CAAC;AAUhC,eAAO,MAAM,4BAA4B,WAChC,eAAe,UACf,MAAM,KACZ,iBAqFF,CAAC;AAEF,eAAO,MAAM,4BAA4B,WAChC,eAAe,KACrB,iBA2BF,CAAC;AAEF,eAAO,MAAM,6BAA6B,WACjC,eAAe,UACf,MAAM,KACZ,kBAKF,CAAC"}

package/dist/redis/redisAccessRules.js

@@ -0,0 +1,105 @@
+import * as util from "node:util";
+import { accessRuleSchema, } from "#policy/accessRules.js";
+import { accessRuleRedisKeyPrefix, accessRulesRedisIndexName, accessRulesRedisSearchOptions, getRedisAccessRuleKey, getRedisAccessRuleValue, getRedisAccessRulesQuery, } from "#policy/redis/redisAccessRulesIndex.js";
+export const createRedisAccessRulesReader = (client, logger) => {
+    return {
+        findRules: async (filter) => {
+            const query = getRedisAccessRulesQuery(filter);
+            let searchReply;
+            try {
+                searchReply = await client.ft.search(accessRulesRedisIndexName, query, accessRulesRedisSearchOptions);
+                logger.debug(() => ({
+                    msg: "Executed search query",
+                    data: {
+                        inspect: util.inspect({
+                            filter: filter,
+                            searchReply: searchReply,
+                            query: query,
+                        }, { depth: null }),
+                    },
+                }));
+            }
+            catch (e) {
+                logger.error(() => ({
+                    err: e,
+                    data: {
+                        inspect: util.inspect({
+                            query: query,
+                            filter: filter,
+                        }, {
+                            depth: null,
+                        }),
+                    },
+                    msg: "failed to execute search query",
+                }));
+                return [];
+            }
+            return extractAccessRulesFromSearchReply(searchReply, logger);
+        },
+        findRuleIds: async (filter) => {
+            const query = getRedisAccessRulesQuery(filter);
+            let searchReply;
+            try {
+                searchReply = await client.ft.searchNoContent(accessRulesRedisIndexName, query, accessRulesRedisSearchOptions);
+            }
+            catch (e) {
+                logger.error(() => ({
+                    err: e,
+                    data: {
+                        inspect: util.inspect({
+                            query: query,
+                            filter: filter,
+                        }, {
+                            depth: null,
+                        }),
+                    },
+                    msg: "Failed to execute search query for rule IDs",
+                }));
+                return [];
+            }
+            return searchReply.documents;
+        },
+    };
+};
+export const createRedisAccessRulesWriter = (client) => {
+    return {
+        insertRule: async (rule, expirationSeconds) => {
+            const ruleKey = getRedisAccessRuleKey(rule);
+            const ruleValue = getRedisAccessRuleValue(rule);
+            await client.hSet(ruleKey, ruleValue);
+            if (expirationSeconds) {
+                await client.expire(ruleKey, expirationSeconds);
+            }
+            return ruleKey;
+        },
+        deleteRules: async (ruleIds) => void (await client.del(ruleIds)),
+        deleteAllRules: async () => {
+            const keys = await client.keys(`${accessRuleRedisKeyPrefix}*`);
+            return keys.length > 0 ? await client.del(keys) : 0;
+        },
+    };
+};
+export const createRedisAccessRulesStorage = (client, logger) => {
+    return {
+        ...createRedisAccessRulesReader(client, logger),
+        ...createRedisAccessRulesWriter(client),
+    };
+};
+const extractAccessRulesFromSearchReply = (searchReply, logger) => {
+    const accessRules = [];
+    searchReply.documents.map(({ id, value: document }) => {
+        const parsedDocument = accessRuleSchema.safeParse(document);
+        if (parsedDocument.success) {
+            accessRules.push(parsedDocument.data);
+        }
+        else {
+            logger.debug(() => ({
+                msg: "Failed to parse access rule from search reply",
+                id: id,
+                error: parsedDocument.error,
+            }));
+        }
+    });
+    return accessRules;
+};
+//# sourceMappingURL=redisAccessRules.js.map

package/dist/redis/redisAccessRules.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redisAccessRules.js","sourceRoot":"","sources":["../../src/redis/redisAccessRules.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAMlC,OAAO,EAKN,gBAAgB,GAChB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACN,wBAAwB,EACxB,yBAAyB,EACzB,6BAA6B,EAC7B,qBAAqB,EACrB,uBAAuB,EACvB,wBAAwB,GACxB,MAAM,wCAAwC,CAAC;AAEhD,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAC3C,MAAuB,EACvB,MAAc,EACM,EAAE;IACtB,OAAO;QACN,SAAS,EAAE,KAAK,EAAE,MAAoB,EAAyB,EAAE;YAChE,MAAM,KAAK,GAAG,wBAAwB,CAAC,MAAM,CAAC,CAAC;YAE/C,IAAI,WAAwB,CAAC;YAE7B,IAAI,CAAC;gBACJ,WAAW,GAAG,MAAM,MAAM,CAAC,EAAE,CAAC,MAAM,CACnC,yBAAyB,EACzB,KAAK,EACL,6BAA6B,CAC7B,CAAC;gBAEF,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;oBACnB,GAAG,EAAE,uBAAuB;oBAC5B,IAAI,EAAE;wBACL,OAAO,EAAE,IAAI,CAAC,OAAO,CACpB;4BACC,MAAM,EAAE,MAAM;4BACd,WAAW,EAAE,WAAW;4BACxB,KAAK,EAAE,KAAK;yBACZ,EACD,EAAE,KAAK,EAAE,IAAI,EAAE,CACf;qBACD;iBACD,CAAC,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACZ,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;oBACnB,GAAG,EAAE,CAAC;oBACN,IAAI,EAAE;wBACL,OAAO,EAAE,IAAI,CAAC,OAAO,CACpB;4BACC,KAAK,EAAE,KAAK;4BACZ,MAAM,EAAE,MAAM;yBACd,EACD;4BACC,KAAK,EAAE,IAAI;yBACX,CACD;qBACD;oBACD,GAAG,EAAE,gCAAgC;iBACrC,CAAC,CAAC,CAAC;gBAEJ,OAAO,EAAE,CAAC;YACX,CAAC;YAED,OAAO,iCAAiC,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAC/D,CAAC;QAED,WAAW,EAAE,KAAK,EAAE,MAAoB,EAAqB,EAAE;YAC9D,MAAM,KAAK,GAAG,wBAAwB,CAAC,MAAM,CAAC,CAAC;YAE/C,IAAI,WAAiC,CAAC;YAEtC,IAAI,CAAC;gBACJ,WAAW,GAAG,MAAM,MAAM,CAAC,EAAE,CAAC,eAAe,CAC5C,yBAAyB,EACzB,KAAK,EACL,6BAA6B,CAC7B,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBAEZ,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;oBACnB,GAAG,EAAE,CAAC;oBACN,IAAI,EAAE;wBACL,OAAO,EAAE,IAAI,CAAC,OAAO,CACpB;4BACC,KAAK,EAAE,KAAK;4BACZ,MAAM,EAAE,MAAM;yBACd,EACD;4BACC,KAAK,EAAE,IAAI;yBACX,CACD;qBACD;oBACD,GAAG,EAAE,6CAA6C;iBAClD,CAAC,CAAC,CAAC;gBAEJ,OAAO,EAAE,CAAC;YACX,CAAC;YAED,OAAO,WAAW,CAAC,SAAS,CAAC;QAC9B,CAAC;KACD,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAC3C,MAAuB,EACH,EAAE;IACtB,OAAO;QACN,UAAU,EAAE,KAAK,EAChB,IAAgB,EAChB,iBAA0B,EACR,EAAE;YACpB,MAAM,OAAO,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC;YAC5C,MAAM,SAAS,GAAG,uBAAuB,CAAC,IAAI,CAAC,CAAC;YAEhD,MAAM,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;YAEtC,IAAI,iBAAiB,EAAE,CAAC;gBACvB,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;YACjD,CAAC;YAED,OAAO,OAAO,CAAC;QAChB,CAAC;QAED,WAAW,EAAE,KAAK,EAAE,OAAiB,EAAiB,EAAE,CACvD,KAAK,CAAC,MAAM,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAEjC,cAAc,EAAE,KAAK,IAAqB,EAAE;YAC3C,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,GAAG,wBAAwB,GAAG,CAAC,CAAC;YAE/D,OAAO,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACrD,CAAC;KACD,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAC5C,MAAuB,EACvB,MAAc,EACO,EAAE;IACvB,OAAO;QACN,GAAG,4BAA4B,CAAC,MAAM,EAAE,MAAM,CAAC;QAC/C,GAAG,4BAA4B,CAAC,MAAM,CAAC;KACvC,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,iCAAiC,GAAG,CACzC,WAAwB,EACxB,MAAc,EACC,EAAE;IACjB,MAAM,WAAW,GAAiB,EAAE,CAAC;IAErC,WAAW,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,EAAE;QACrD,MAAM,cAAc,GAAG,gBAAgB,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAE5D,IAAI,cAAc,CAAC,OAAO,EAAE,CAAC;YAC5B,WAAW,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QACvC,CAAC;aAAM,CAAC;YACP,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;gBACnB,GAAG,EAAE,+CAA+C;gBACpD,EAAE,EAAE,EAAE;gBACN,KAAK,EAAE,cAAc,CAAC,KAAK;aAC3B,CAAC,CAAC,CAAC;QACL,CAAC;IACF,CAAC,CAAC,CAAC;IAEH,OAAO,WAAW,CAAC;AACpB,CAAC,CAAC"}

package/dist/redis/redisAccessRulesIndex.d.ts

@@ -0,0 +1,12 @@
+import { type FtSearchOptions } from "@redis/search";
+import type { RedisClientType } from "redis";
+import { type PolicyFilter } from "#policy/accessPolicyResolver.js";
+import type { AccessRule } from "#policy/accessRules.js";
+export declare const accessRulesRedisIndexName = "index:user-access-rules";
+export declare const accessRuleRedisKeyPrefix = "uar:";
+export declare const createRedisAccessRulesIndex: (client: RedisClientType) => Promise<void>;
+export declare const accessRulesRedisSearchOptions: FtSearchOptions;
+export declare const getRedisAccessRulesQuery: (filter: PolicyFilter) => string;
+export declare const getRedisAccessRuleKey: (rule: AccessRule) => string;
+export declare const getRedisAccessRuleValue: (rule: AccessRule) => Record<string, string>;
+//# sourceMappingURL=redisAccessRulesIndex.d.ts.map

package/dist/redis/redisAccessRulesIndex.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redisAccessRulesIndex.d.ts","sourceRoot":"","sources":["../../src/redis/redisAccessRulesIndex.ts"],"names":[],"mappings":"AAeA,OAAO,EAAE,KAAK,eAAe,EAAqB,MAAM,eAAe,CAAC;AACxE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AAE7C,OAAO,EAAE,KAAK,YAAY,EAAc,MAAM,iCAAiC,CAAC;AAChF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAGzD,eAAO,MAAM,yBAAyB,4BAA4B,CAAC;AAEnE,eAAO,MAAM,wBAAwB,SAAS,CAAC;AAkC/C,eAAO,MAAM,2BAA2B,WAC/B,eAAe,KACrB,OAAO,CAAC,IAAI,CAA+C,CAAC;AAkB/D,eAAO,MAAM,6BAA6B,EAAE,eAG3C,CAAC;AAYF,eAAO,MAAM,wBAAwB,WAAY,YAAY,KAAG,MAe/D,CAAC;AAqDF,eAAO,MAAM,qBAAqB,SAAU,UAAU,KAAG,MAUzC,CAAC;AAEjB,eAAO,MAAM,uBAAuB,SAC7B,UAAU,KACd,MAAM,CAAC,MAAM,EAAE,MAAM,CAGtB,CAAC"}