@prosopo/user-access-policy 3.3.2 → 3.5.19

package/dist/cjs/redis/redisAccessRulesIndex.cjs

@@ -1,113 +0,0 @@
-"use strict";
-Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const crypto = require("node:crypto");
-const search = require("@redis/search");
-const accessPolicyResolver = require("../accessPolicyResolver.cjs");
-const redisIndex = require("./redisIndex.cjs");
-const accessRulesRedisIndexName = "index:user-access-rules";
-const accessRuleRedisKeyPrefix = "uar:";
-const accessRuleContentHashAlgorithm = "md5";
-const DEFAULT_SEARCH_LIMIT = 1e3;
-const accessRulesIndex = {
-  name: accessRulesRedisIndexName,
-  /**
-   * Note on the field type decision
-   *
-   * TAG is designed for the exact value matching
-   * TEXT is designed for the word-based and pattern matching
-   *
-   * For our goal TAG fits perfectly and, more performant
-   */
-  schema: {
-    clientId: {
-      type: search.SCHEMA_FIELD_TYPE.TAG,
-      // necessary to make possible use of the ismissing() function on this field in the search
-      INDEXMISSING: true
-    },
-    numericIpMaskMin: search.SCHEMA_FIELD_TYPE.NUMERIC,
-    numericIpMaskMax: search.SCHEMA_FIELD_TYPE.NUMERIC,
-    userId: search.SCHEMA_FIELD_TYPE.TAG,
-    numericIp: { type: search.SCHEMA_FIELD_TYPE.NUMERIC, INDEXMISSING: true },
-    ja4Hash: search.SCHEMA_FIELD_TYPE.TAG,
-    headersHash: search.SCHEMA_FIELD_TYPE.TAG,
-    userAgentHash: search.SCHEMA_FIELD_TYPE.TAG
-  },
-  // the satisfy statement is to guarantee that the keys are right
-  options: {
-    ON: "HASH",
-    PREFIX: [accessRuleRedisKeyPrefix]
-  }
-};
-const createRedisAccessRulesIndex = async (client) => redisIndex.createRedisIndex(client, accessRulesIndex);
-const numericIndexFields = [
-  "numericIp",
-  "numericIpMaskMin",
-  "numericIpMaskMax"
-];
-const greedyFieldComparisons = {
-  numericIp: (value) => `( @numericIp:[${value}] | ( @numericIpMaskMin:[-inf ${value}] @numericIpMaskMax:[${value} +inf] ) )`
-};
-const accessRulesRedisSearchOptions = {
-  // #2 is a required option when the 'ismissing()' function is in the query body
-  DIALECT: 2
-};
-const accessRulesRedisDeleteOptions = {
-  // #2 is a required option when the 'ismissing()' function is in the query body
-  DIALECT: 2,
-  LIMIT: {
-    from: 0,
-    size: DEFAULT_SEARCH_LIMIT
-  }
-};
-const getRedisAccessRulesQuery = (filter) => {
-  const { policyScope, userScope } = filter;
-  const policyScopeFilter = getPolicyScopeQuery(
-    policyScope,
-    filter.policyScopeMatch
-  );
-  if (userScope && Object.keys(userScope).length > 0) {
-    const userScopeFilter = getUserScopeQuery(userScope, filter.userScopeMatch);
-    return `${policyScopeFilter} ( ${userScopeFilter} )`;
-  }
-  return policyScopeFilter ? policyScopeFilter : "*";
-};
-const getPolicyScopeQuery = (policyScope, scopeMatchType) => {
-  const clientId = policyScope?.clientId;
-  if ("string" === typeof clientId) {
-    return accessPolicyResolver.ScopeMatch.Exact === scopeMatchType ? `@clientId:{${clientId}}` : `( @clientId:{${clientId}} | ismissing(@clientId) )`;
-  }
-  return accessPolicyResolver.ScopeMatch.Exact === scopeMatchType ? "ismissing(@clientId)" : "";
-};
-const getUserScopeQuery = (userScope, scopeMatchType) => {
-  const scopeEntries = Object.entries(userScope).filter(([_, value]) => value !== void 0);
-  const scopeJoinType = accessPolicyResolver.ScopeMatch.Exact === scopeMatchType ? " " : " | ";
-  return scopeEntries.map(
-    ([scopeFieldName, scopeFieldValue]) => getUserScopeFieldQuery(scopeFieldName, scopeFieldValue, scopeMatchType)
-  ).join(scopeJoinType);
-};
-const getUserScopeFieldQuery = (fieldName, fieldValue, matchType) => {
-  if (accessPolicyResolver.ScopeMatch.Greedy === matchType && "function" === typeof greedyFieldComparisons[fieldName]) {
-    return greedyFieldComparisons[fieldName](fieldValue);
-  }
-  return numericIndexFields.includes(fieldName) ? `@${fieldName}:[${fieldValue}]` : `@${fieldName}:{${fieldValue}}`;
-};
-const getRedisAccessRuleKey = (rule) => accessRuleRedisKeyPrefix + crypto.createHash(accessRuleContentHashAlgorithm).update(
-  JSON.stringify(
-    rule,
-    (key, value) => (
-      // JSON.stringify can't handle BigInt itself: throws "Do not know how to serialize a BigInt"
-      "bigint" === typeof value ? value.toString() : value
-    )
-  )
-).digest("hex");
-const getRedisAccessRuleValue = (rule) => Object.fromEntries(
-  Object.entries(rule).map(([key, value]) => [key, String(value)])
-);
-exports.accessRuleRedisKeyPrefix = accessRuleRedisKeyPrefix;
-exports.accessRulesRedisDeleteOptions = accessRulesRedisDeleteOptions;
-exports.accessRulesRedisIndexName = accessRulesRedisIndexName;
-exports.accessRulesRedisSearchOptions = accessRulesRedisSearchOptions;
-exports.createRedisAccessRulesIndex = createRedisAccessRulesIndex;
-exports.getRedisAccessRuleKey = getRedisAccessRuleKey;
-exports.getRedisAccessRuleValue = getRedisAccessRuleValue;
-exports.getRedisAccessRulesQuery = getRedisAccessRulesQuery;

package/dist/cjs/redis/redisIndex.cjs

@@ -1,22 +0,0 @@
-"use strict";
-Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const crypto = require("node:crypto");
-const redisIndexHashesRecordKey = "_index_hashes";
-const redisIndexHashAlgorithm = "sha256";
-const createRedisIndex = async (client, index) => {
-  const indexHash = createIndexHash(index);
-  const existingIndexes = await client.ft._LIST();
-  if (existingIndexes.includes(index.name)) {
-    const existingIndexHash = await fetchIndexHash(client, index.name);
-    if (indexHash === existingIndexHash) {
-      return;
-    }
-    await client.ft.dropIndex(index.name);
-  }
-  await client.ft.create(index.name, index.schema, index.options);
-  await saveIndexHash(client, index.name, indexHash);
-};
-const createIndexHash = (index) => crypto.createHash(redisIndexHashAlgorithm).update(JSON.stringify(index)).digest("hex");
-const fetchIndexHash = async (client, indexName) => client.hGet(redisIndexHashesRecordKey, indexName);
-const saveIndexHash = async (client, indexName, indexHash) => client.hSet(redisIndexHashesRecordKey, indexName, indexHash);
-exports.createRedisIndex = createRedisIndex;

package/dist/redis/redisAccessRulesIndex.js

@@ -1,113 +0,0 @@
-import crypto from "node:crypto";
-import { SCHEMA_FIELD_TYPE } from "@redis/search";
-import { ScopeMatch } from "../accessPolicyResolver.js";
-import { createRedisIndex } from "./redisIndex.js";
-const accessRulesRedisIndexName = "index:user-access-rules";
-const accessRuleRedisKeyPrefix = "uar:";
-const accessRuleContentHashAlgorithm = "md5";
-const DEFAULT_SEARCH_LIMIT = 1e3;
-const accessRulesIndex = {
-  name: accessRulesRedisIndexName,
-  /**
-   * Note on the field type decision
-   *
-   * TAG is designed for the exact value matching
-   * TEXT is designed for the word-based and pattern matching
-   *
-   * For our goal TAG fits perfectly and, more performant
-   */
-  schema: {
-    clientId: {
-      type: SCHEMA_FIELD_TYPE.TAG,
-      // necessary to make possible use of the ismissing() function on this field in the search
-      INDEXMISSING: true
-    },
-    numericIpMaskMin: SCHEMA_FIELD_TYPE.NUMERIC,
-    numericIpMaskMax: SCHEMA_FIELD_TYPE.NUMERIC,
-    userId: SCHEMA_FIELD_TYPE.TAG,
-    numericIp: { type: SCHEMA_FIELD_TYPE.NUMERIC, INDEXMISSING: true },
-    ja4Hash: SCHEMA_FIELD_TYPE.TAG,
-    headersHash: SCHEMA_FIELD_TYPE.TAG,
-    userAgentHash: SCHEMA_FIELD_TYPE.TAG
-  },
-  // the satisfy statement is to guarantee that the keys are right
-  options: {
-    ON: "HASH",
-    PREFIX: [accessRuleRedisKeyPrefix]
-  }
-};
-const createRedisAccessRulesIndex = async (client) => createRedisIndex(client, accessRulesIndex);
-const numericIndexFields = [
-  "numericIp",
-  "numericIpMaskMin",
-  "numericIpMaskMax"
-];
-const greedyFieldComparisons = {
-  numericIp: (value) => `( @numericIp:[${value}] | ( @numericIpMaskMin:[-inf ${value}] @numericIpMaskMax:[${value} +inf] ) )`
-};
-const accessRulesRedisSearchOptions = {
-  // #2 is a required option when the 'ismissing()' function is in the query body
-  DIALECT: 2
-};
-const accessRulesRedisDeleteOptions = {
-  // #2 is a required option when the 'ismissing()' function is in the query body
-  DIALECT: 2,
-  LIMIT: {
-    from: 0,
-    size: DEFAULT_SEARCH_LIMIT
-  }
-};
-const getRedisAccessRulesQuery = (filter) => {
-  const { policyScope, userScope } = filter;
-  const policyScopeFilter = getPolicyScopeQuery(
-    policyScope,
-    filter.policyScopeMatch
-  );
-  if (userScope && Object.keys(userScope).length > 0) {
-    const userScopeFilter = getUserScopeQuery(userScope, filter.userScopeMatch);
-    return `${policyScopeFilter} ( ${userScopeFilter} )`;
-  }
-  return policyScopeFilter ? policyScopeFilter : "*";
-};
-const getPolicyScopeQuery = (policyScope, scopeMatchType) => {
-  const clientId = policyScope?.clientId;
-  if ("string" === typeof clientId) {
-    return ScopeMatch.Exact === scopeMatchType ? `@clientId:{${clientId}}` : `( @clientId:{${clientId}} | ismissing(@clientId) )`;
-  }
-  return ScopeMatch.Exact === scopeMatchType ? "ismissing(@clientId)" : "";
-};
-const getUserScopeQuery = (userScope, scopeMatchType) => {
-  const scopeEntries = Object.entries(userScope).filter(([_, value]) => value !== void 0);
-  const scopeJoinType = ScopeMatch.Exact === scopeMatchType ? " " : " | ";
-  return scopeEntries.map(
-    ([scopeFieldName, scopeFieldValue]) => getUserScopeFieldQuery(scopeFieldName, scopeFieldValue, scopeMatchType)
-  ).join(scopeJoinType);
-};
-const getUserScopeFieldQuery = (fieldName, fieldValue, matchType) => {
-  if (ScopeMatch.Greedy === matchType && "function" === typeof greedyFieldComparisons[fieldName]) {
-    return greedyFieldComparisons[fieldName](fieldValue);
-  }
-  return numericIndexFields.includes(fieldName) ? `@${fieldName}:[${fieldValue}]` : `@${fieldName}:{${fieldValue}}`;
-};
-const getRedisAccessRuleKey = (rule) => accessRuleRedisKeyPrefix + crypto.createHash(accessRuleContentHashAlgorithm).update(
-  JSON.stringify(
-    rule,
-    (key, value) => (
-      // JSON.stringify can't handle BigInt itself: throws "Do not know how to serialize a BigInt"
-      "bigint" === typeof value ? value.toString() : value
-    )
-  )
-).digest("hex");
-const getRedisAccessRuleValue = (rule) => Object.fromEntries(
-  Object.entries(rule).map(([key, value]) => [key, String(value)])
-);
-export {
-  accessRuleRedisKeyPrefix,
-  accessRulesRedisDeleteOptions,
-  accessRulesRedisIndexName,
-  accessRulesRedisSearchOptions,
-  createRedisAccessRulesIndex,
-  getRedisAccessRuleKey,
-  getRedisAccessRuleValue,
-  getRedisAccessRulesQuery
-};

package/dist/redis/redisIndex.js

@@ -1,22 +0,0 @@
-import crypto from "node:crypto";
-const redisIndexHashesRecordKey = "_index_hashes";
-const redisIndexHashAlgorithm = "sha256";
-const createRedisIndex = async (client, index) => {
-  const indexHash = createIndexHash(index);
-  const existingIndexes = await client.ft._LIST();
-  if (existingIndexes.includes(index.name)) {
-    const existingIndexHash = await fetchIndexHash(client, index.name);
-    if (indexHash === existingIndexHash) {
-      return;
-    }
-    await client.ft.dropIndex(index.name);
-  }
-  await client.ft.create(index.name, index.schema, index.options);
-  await saveIndexHash(client, index.name, indexHash);
-};
-const createIndexHash = (index) => crypto.createHash(redisIndexHashAlgorithm).update(JSON.stringify(index)).digest("hex");
-const fetchIndexHash = async (client, indexName) => client.hGet(redisIndexHashesRecordKey, indexName);
-const saveIndexHash = async (client, indexName, indexHash) => client.hSet(redisIndexHashesRecordKey, indexName, indexHash);
-export {
-  createRedisIndex
-};