@prosopo/user-access-policy 3.5.19 → 3.5.28

package/dist/cjs/api/write/.export.cjs

@@ -0,0 +1 @@
+"use strict";

package/dist/cjs/api/write/insertRules.cjs

@@ -0,0 +1,102 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const apiRoute = require("@prosopo/api-route");
+const common = require("@prosopo/common");
+const zod = require("zod");
+const policyInput = require("../../ruleInput/policyInput.cjs");
+const userScopeInput = require("../../ruleInput/userScopeInput.cjs");
+class InsertRulesEndpoint {
+  constructor(accessRulesWriter, logger) {
+    this.accessRulesWriter = accessRulesWriter;
+    this.logger = logger;
+  }
+  getRequestArgsSchema() {
+    return zod.z.array(
+      zod.z.object({
+        accessPolicy: policyInput.accessPolicyInput,
+        policyScopes: zod.z.array(policyInput.policyScopeInput).optional(),
+        groupId: zod.z.string().optional(),
+        userScopes: zod.z.array(userScopeInput.userScopeInput),
+        expiresUnixTimestamp: zod.z.number().optional()
+      })
+    );
+  }
+  async processRequest(args) {
+    const timeoutPromise = new Promise((resolve) => {
+      setTimeout(() => {
+        resolve({
+          status: apiRoute.ApiEndpointResponseStatus.PROCESSING
+        });
+      }, 5e3);
+    });
+    const userScopesCount = args.reduce(
+      (userScopesCount2, group) => userScopesCount2 + group.userScopes.length,
+      0
+    );
+    const createRulesPromise = this.createRuleGroups(args).then((insertedIds) => {
+      this.logger.info(() => ({
+        msg: "Endpoint inserted access rules",
+        data: {
+          userScopesCount,
+          insertedCount: insertedIds.length,
+          uniqueIdsCount: new Set(insertedIds).size
+        }
+      }));
+      this.logger.debug(() => ({
+        msg: "Inserted access rules details",
+        data: {
+          insertedIds,
+          input: args
+        }
+      }));
+      return {
+        status: apiRoute.ApiEndpointResponseStatus.SUCCESS
+      };
+    }).catch((error) => {
+      if (common.LogLevel.enum.debug === this.logger.getLogLevel()) {
+        this.logger.error(() => ({
+          err: error,
+          data: { args },
+          msg: "Failed to insert access rules"
+        }));
+      }
+      return {
+        status: apiRoute.ApiEndpointResponseStatus.FAIL
+      };
+    });
+    return Promise.race([timeoutPromise, createRulesPromise]);
+  }
+  async createRuleGroups(groups) {
+    const ruleIdPromises = groups.map((group) => this.createRulesGroup(group));
+    const ruleIdSets = await Promise.all(ruleIdPromises);
+    return ruleIdSets.flat();
+  }
+  async createRulesGroup(group) {
+    const ruleEntries = [];
+    const policyScopes = group.policyScopes || [];
+    for (const userScope of group.userScopes) {
+      const ruleBase = {
+        ...group.accessPolicy,
+        ...userScope,
+        ...group.groupId ? { groupId: group.groupId } : {}
+      };
+      if (policyScopes.length > 0) {
+        for (const policyScope of policyScopes) {
+          ruleEntries.push({
+            rule: {
+              ...ruleBase,
+              ...policyScope
+            }
+          });
+        }
+      } else {
+        ruleEntries.push({
+          rule: ruleBase,
+          expiresUnixTimestamp: group.expiresUnixTimestamp
+        });
+      }
+    }
+    return this.accessRulesWriter.insertRules(ruleEntries);
+  }
+}
+exports.InsertRulesEndpoint = InsertRulesEndpoint;

package/dist/cjs/api/write/rehashRules.cjs

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const apiRoute = require("@prosopo/api-route");
+class RehashRulesEndpoint {
+  constructor(accessRulesStorage, logger) {
+    this.accessRulesStorage = accessRulesStorage;
+    this.logger = logger;
+  }
+  getRequestArgsSchema() {
+  }
+  async processRequest() {
+    await this.accessRulesStorage.fetchAllRuleIds(async (ruleIds) => {
+      this.logger.info(() => ({
+        msg: "Fetched rule ids batch",
+        data: {
+          count: ruleIds.length,
+          ruleIds
+        }
+      }));
+      const ruleEntries = await this.accessRulesStorage.fetchRules(ruleIds);
+      this.logger.info(() => ({
+        msg: "Fetched rules",
+        data: {
+          count: ruleEntries.length
+        }
+      }));
+      if (ruleEntries.length !== ruleIds.length) {
+        this.logger.warn(() => ({
+          msg: "Fetched rules count is not equal to the requested count",
+          data: {
+            fetchedCount: ruleEntries.length,
+            requestedCount: ruleIds.length
+          }
+        }));
+      }
+      await this.accessRulesStorage.deleteRules(ruleIds);
+      this.logger.info(() => ({
+        msg: "Deleted rules",
+        data: {
+          count: ruleIds.length
+        }
+      }));
+      await this.accessRulesStorage.insertRules(ruleEntries);
+      this.logger.info(() => ({
+        msg: "Inserted rules",
+        data: {
+          count: ruleEntries.length
+        }
+      }));
+    });
+    return {
+      status: apiRoute.ApiEndpointResponseStatus.SUCCESS,
+      data: {}
+    };
+  }
+}
+exports.RehashRulesEndpoint = RehashRulesEndpoint;

package/dist/cjs/mongoose/.export.cjs

@@ -0,0 +1,4 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const mongooseRuleSchema = require("./mongooseRuleSchema.cjs");
+exports.accessRuleMongooseSchema = mongooseRuleSchema.accessRuleMongooseSchema;

package/dist/cjs/mongoose/mongooseRuleSchema.cjs

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const userAttributesSchema = {
+  userId: { type: String, required: false },
+  ja4Hash: { type: String, required: false },
+  userAgent: { type: String, required: false },
+  headersHash: { type: String, required: false }
+};
+const userIpSchema = {
+  ip: { type: String, required: false },
+  ipMask: { type: String, required: false }
+};
+const userScopeSchema = {
+  ...userAttributesSchema,
+  ...userIpSchema
+};
+const policyScopeSchema = {
+  clientId: { type: String, required: false }
+};
+const accessPolicySchema = {
+  type: { type: String, required: true },
+  captchaType: { type: String, required: false },
+  description: { type: String, required: false },
+  solvedImagesCount: { type: Number, required: false },
+  imageThreshold: { type: Number, required: false },
+  powDifficulty: { type: Number, required: false },
+  unsolvedImagesCount: { type: Number, required: false },
+  frictionlessScore: { type: Number, required: false }
+};
+const accessRuleMongooseSchema = {
+  ...accessPolicySchema,
+  ...policyScopeSchema,
+  ...userScopeSchema,
+  ruleGroupId: { type: String, required: false }
+};
+exports.accessRuleMongooseSchema = accessRuleMongooseSchema;

package/dist/cjs/redis/.export.cjs

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const redisRulesStorage = require("./redisRulesStorage.cjs");
+const redisRuleIndex = require("./redisRuleIndex.cjs");
+exports.createRedisAccessRulesStorage = redisRulesStorage.createRedisAccessRulesStorage;
+exports.accessRulesRedisIndex = redisRuleIndex.accessRulesRedisIndex;

package/dist/cjs/redis/reader/redisAggregate.cjs

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const zod = require("zod");
+const redisRulesQuery = require("./redisRulesQuery.cjs");
+const redisClient = require("../redisClient.cjs");
+const redisRuleIndex = require("../redisRuleIndex.cjs");
+const aggregateRedisKeys = async (client, query, logger, batchHandler) => {
+  const keyField = "__key";
+  const recordSchema = zod.z.object({
+    // it's a reserved name for the record key
+    [keyField]: zod.z.string()
+  });
+  const foundKeys = [];
+  const addRecordKeys = async (records) => {
+    const parsedRecords = redisClient.parseRedisRecords(records, recordSchema, logger);
+    const recordKeys = parsedRecords.map((record) => record[keyField]);
+    if (batchHandler) {
+      await batchHandler(recordKeys);
+    } else {
+      foundKeys.push(...recordKeys);
+      logger.debug(() => ({
+        msg: "Processed aggregation batch",
+        data: {
+          size: recordKeys.length
+        }
+      }));
+    }
+  };
+  await executeAggregation(
+    client,
+    query,
+    {
+      // #2 is a required option when the 'ismissing()' function is in the query body
+      DIALECT: redisRulesQuery.REDIS_QUERY_DIALECT,
+      COUNT: redisClient.REDIS_BATCH_SIZE,
+      LOAD: `@${keyField}`
+    },
+    addRecordKeys
+  );
+  return foundKeys;
+};
+const executeAggregation = async (client, query, aggregateOptions, handleBatch) => {
+  const initialReply = await client.ft.aggregateWithCursor(
+    redisRuleIndex.ACCESS_RULES_REDIS_INDEX_NAME,
+    query,
+    aggregateOptions
+  );
+  await handleBatch(initialReply.results);
+  let cursor = initialReply.cursor;
+  while (0 !== cursor) {
+    const batchReply = await client.ft.cursorRead(
+      redisRuleIndex.ACCESS_RULES_REDIS_INDEX_NAME,
+      cursor,
+      { COUNT: aggregateOptions.COUNT }
+    );
+    await handleBatch(batchReply.results);
+    cursor = batchReply.cursor;
+  }
+};
+exports.aggregateRedisKeys = aggregateRedisKeys;

package/dist/cjs/redis/reader/redisRulesQuery.cjs

@@ -0,0 +1,99 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const userScopeInput = require("../../ruleInput/userScopeInput.cjs");
+const rulesStorage = require("../../rulesStorage.cjs");
+const REDIS_QUERY_DIALECT = 2;
+const userIpQueries = {
+  numericIp: (value, scope) => {
+    if (void 0 !== value) {
+      return `( @numericIp:[${value} ${value}] | ( @numericIpMaskMin:[-inf ${value}] @numericIpMaskMax:[${value} +inf] ) )`;
+    }
+    if (scope.numericIpMaskMin === void 0 && scope.numericIpMaskMax === void 0) {
+      return "ismissing(@numericIp) ismissing(@numericIpMaskMin) ismissing(@numericIpMaskMax)";
+    }
+    return "";
+  },
+  numericIpMaskMin: (value, scope) => {
+    if (scope.numericIp !== void 0) {
+      return "";
+    }
+    return value !== void 0 ? `@numericIpMaskMin:[-inf ${value}]` : "ismissing(@numericIpMaskMin)";
+  },
+  numericIpMaskMax: (value, scope) => {
+    if (scope.numericIp !== void 0) {
+      return "";
+    }
+    return value !== void 0 ? `@numericIpMaskMax:[${value} +inf]` : "ismissing(@numericIpMaskMax)";
+  }
+};
+const getUserScopeQuery = (userScope, FilterScopeMatchType, matchingFieldsOnly) => {
+  let scopeEntries = Object.entries(userScope);
+  let scopeJoinType = " ";
+  if (FilterScopeMatchType === rulesStorage.FilterScopeMatch.Greedy) {
+    scopeEntries = scopeEntries.filter(
+      ([_, value]) => value !== void 0
+    );
+    scopeJoinType = " | ";
+  }
+  if (matchingFieldsOnly) {
+    const scopeMap = new Map(scopeEntries);
+    if (scopeMap.has("numericIp") && scopeMap.get("numericIp") === void 0) {
+      scopeMap.set("numericIpMaskMin", void 0);
+      scopeMap.set("numericIpMaskMax", void 0);
+    }
+    for (const name of Object.keys(userScopeInput.userScopeSchema.shape)) {
+      if (!scopeMap.has(name)) {
+        scopeMap.set(name, void 0);
+      }
+    }
+    scopeEntries = [...scopeMap.entries()];
+  }
+  const scopeObj = Object.fromEntries(scopeEntries);
+  return scopeEntries.map(
+    ([scopeFieldName, scopeFieldValue]) => getUserScopeFieldQuery(
+      scopeFieldName,
+      scopeFieldValue,
+      FilterScopeMatchType,
+      scopeObj
+    )
+  ).filter(Boolean).join(scopeJoinType);
+};
+const getUserScopeFieldQuery = (fieldName, fieldValue, scopeMatch, fullScope) => {
+  if (fieldName in userIpQueries) {
+    const queryBuilder = userIpQueries[fieldName];
+    return queryBuilder(fieldValue, fullScope);
+  }
+  return void 0 === fieldValue ? `ismissing(@${fieldName})` : `@${fieldName}:{${fieldValue}}`;
+};
+const getPolicyScopeQuery = (policyScope, scopeMatch) => {
+  const clientId = policyScope?.clientId;
+  if ("string" === typeof clientId) {
+    return rulesStorage.FilterScopeMatch.Exact === scopeMatch ? `@clientId:{${clientId}}` : `( @clientId:{${clientId}} | ismissing(@clientId) )`;
+  }
+  return rulesStorage.FilterScopeMatch.Exact === scopeMatch ? "ismissing(@clientId)" : "";
+};
+const getRulesRedisQuery = (filter, matchingFieldsOnly) => {
+  const { policyScope, userScope } = filter;
+  const queryParts = [];
+  if (filter.groupId) {
+    queryParts.push(`@groupId:{${filter.groupId}}`);
+  }
+  const policyScopeQuery = getPolicyScopeQuery(
+    policyScope,
+    filter.policyScopeMatch
+  );
+  if (policyScopeQuery) {
+    queryParts.push(policyScopeQuery);
+  }
+  if (userScope && Object.keys(userScope).length > 0) {
+    const userScopeFilter = getUserScopeQuery(
+      userScope,
+      filter.userScopeMatch,
+      matchingFieldsOnly
+    );
+    queryParts.push(`( ${userScopeFilter} )`);
+  }
+  return queryParts.length > 0 ? queryParts.join(" ") : "*";
+};
+exports.REDIS_QUERY_DIALECT = REDIS_QUERY_DIALECT;
+exports.getRulesRedisQuery = getRulesRedisQuery;

package/dist/cjs/redis/reader/redisRulesReader.cjs

@@ -0,0 +1,230 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const util = require("node:util");
+const common = require("@prosopo/common");
+const redisRulesQuery = require("./redisRulesQuery.cjs");
+const redisClient = require("../redisClient.cjs");
+const redisRuleIndex = require("../redisRuleIndex.cjs");
+const ruleInput = require("../../ruleInput/ruleInput.cjs");
+const redisAggregate = require("./redisAggregate.cjs");
+function _interopNamespaceDefault(e) {
+  const n = Object.create(null, { [Symbol.toStringTag]: { value: "Module" } });
+  if (e) {
+    for (const k in e) {
+      if (k !== "default") {
+        const d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: () => e[k]
+        });
+      }
+    }
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+const util__namespace = /* @__PURE__ */ _interopNamespaceDefault(util);
+class RedisRulesReader {
+  constructor(client, logger) {
+    this.client = client;
+    this.logger = logger;
+  }
+  async getMissingRuleIds(ruleIds) {
+    const ruleKeys = this.getRuleKeys(ruleIds);
+    const keyBatches = common.chunkIntoBatches(ruleKeys, redisClient.REDIS_BATCH_SIZE);
+    const missingKeyBatches = await common.executeBatchesSequentially(
+      keyBatches,
+      async (keysBatch) => redisClient.getMissingRedisKeys(this.client, keysBatch)
+    );
+    return missingKeyBatches.flat().map((ruleKey) => ruleKey.slice(redisRuleIndex.ACCESS_RULE_REDIS_KEY_PREFIX.length));
+  }
+  async fetchRules(ruleIds) {
+    const ruleKeys = this.getRuleKeys(ruleIds);
+    const keyBatches = common.chunkIntoBatches(ruleKeys, redisClient.REDIS_BATCH_SIZE);
+    const entryBatches = await common.executeBatchesSequentially(
+      keyBatches,
+      (keysBatch) => this.fetchRuleEntries(keysBatch)
+    );
+    return entryBatches.flat();
+  }
+  async findRules(filter, matchingFieldsOnly = false, skipEmptyUserScopes = true) {
+    const query = redisRulesQuery.getRulesRedisQuery(filter, matchingFieldsOnly);
+    if (skipEmptyUserScopes && query === "ismissing(@clientId)") {
+      return [];
+    }
+    let searchReply;
+    try {
+      searchReply = await this.client.ft.search(
+        redisRuleIndex.ACCESS_RULES_REDIS_INDEX_NAME,
+        query,
+        {
+          DIALECT: redisRulesQuery.REDIS_QUERY_DIALECT,
+          // FT.search doesn't support "unlimited" selects
+          LIMIT: {
+            from: 0,
+            size: redisClient.REDIS_BATCH_SIZE
+          }
+        }
+      );
+      if (searchReply.total > 0) {
+        this.logger.debug(() => ({
+          msg: "Executed search query",
+          data: {
+            inspect: util__namespace.inspect(
+              {
+                filter,
+                searchReply,
+                query
+              },
+              { depth: null }
+            )
+          }
+        }));
+      }
+    } catch (e) {
+      this.logger.error(() => ({
+        err: e,
+        data: {
+          inspect: util__namespace.inspect(
+            {
+              query,
+              filter
+            },
+            {
+              depth: null
+            }
+          )
+        },
+        msg: "failed to execute search query"
+      }));
+      return [];
+    }
+    const records = searchReply.documents.map(({ value }) => value);
+    return redisClient.parseRedisRecords(records, ruleInput.accessRuleInput, this.logger);
+  }
+  async findRuleIds(filter, matchingFieldsOnly = false) {
+    const query = redisRulesQuery.getRulesRedisQuery(filter, matchingFieldsOnly);
+    let ruleIds = [];
+    try {
+      const ruleKeys = await redisAggregate.aggregateRedisKeys(
+        this.client,
+        query,
+        this.logger
+      );
+      ruleIds = ruleKeys.map(
+        (ruleKey) => ruleKey.slice(redisRuleIndex.ACCESS_RULE_REDIS_KEY_PREFIX.length)
+      );
+    } catch (e) {
+      this.logger.error(() => ({
+        err: e,
+        data: {
+          inspect: util__namespace.inspect(
+            {
+              query,
+              filter
+            },
+            {
+              depth: null
+            }
+          )
+        },
+        msg: "Failed to execute search query for rule IDs"
+      }));
+      return [];
+    }
+    this.logger.debug(() => ({
+      msg: "Executed search query for rule IDs",
+      data: {
+        query,
+        foundCount: ruleIds.length,
+        foundIds: ruleIds
+      }
+    }));
+    return ruleIds;
+  }
+  async fetchAllRuleIds(batchHandler) {
+    const keysBatchHandler = async (keys) => {
+      const ids = keys.map(
+        (ruleKey) => ruleKey.slice(redisRuleIndex.ACCESS_RULE_REDIS_KEY_PREFIX.length)
+      );
+      await batchHandler(ids);
+    };
+    await redisAggregate.aggregateRedisKeys(this.client, "*", this.logger, keysBatchHandler);
+  }
+  async fetchRuleEntries(keys) {
+    const { records, expirations } = await redisClient.fetchRedisHashRecords(
+      this.client,
+      keys,
+      this.logger
+    );
+    const entries = [];
+    for (const [index, ruleData] of records.entries()) {
+      const isRulePresent = Object.keys(ruleData).length > 0;
+      if (isRulePresent) {
+        const rule = redisClient.parseRedisRecords(
+          [ruleData],
+          ruleInput.accessRuleInput,
+          this.logger
+        )[0];
+        if (rule) {
+          entries.push({
+            rule,
+            expiresUnixTimestamp: expirations[index]
+          });
+        }
+      }
+    }
+    return entries;
+  }
+  getRuleKeys(ruleIds) {
+    return ruleIds.map((id) => `${redisRuleIndex.ACCESS_RULE_REDIS_KEY_PREFIX}${id}`);
+  }
+}
+class DummyRedisRulesReader {
+  constructor(logger) {
+    this.logger = logger;
+  }
+  async getMissingRuleIds(ruleIds) {
+    this.logger.info(() => ({
+      msg: "Dummy getMissingRuleIds() has no effect (redis is not ready)",
+      data: {
+        ruleIds
+      }
+    }));
+    return [];
+  }
+  async fetchRules(ruleIds) {
+    this.logger.info(() => ({
+      msg: "Dummy fetchRule() has no effect (redis is not ready)",
+      data: {
+        ruleIds
+      }
+    }));
+    return [];
+  }
+  async findRules(filter, matchingFieldsOnly = false, skipEmptyUserScopes = true) {
+    this.logger.info(() => ({
+      msg: "Dummy findRules() has no effect (redis is not ready)",
+      data: {
+        filter
+      }
+    }));
+    return [];
+  }
+  async findRuleIds(filter, matchingFieldsOnly = false) {
+    this.logger.info(() => ({
+      msg: "Dummy findRuleIds() has no effect (redis is not ready)",
+      data: {
+        filter
+      }
+    }));
+    return [];
+  }
+  async fetchAllRuleIds(batchHandler) {
+    this.logger.info(() => ({
+      msg: "Dummy fetchAllRuleIds() has no effect (redis is not ready)"
+    }));
+  }
+}
+exports.DummyRedisRulesReader = DummyRedisRulesReader;
+exports.RedisRulesReader = RedisRulesReader;

package/dist/cjs/redis/redisClient.cjs

@@ -0,0 +1,67 @@
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const zod = require("zod");
+const REDIS_BATCH_SIZE = 1e3;
+const getMissingRedisKeys = async (client, keys) => {
+  const queries = client.multi();
+  keys.map((key) => {
+    queries.exists(key);
+  });
+  const records = await queries.exec();
+  const missingKeys = [];
+  records.map((exists, recordIndex) => {
+    if ("0" === String(exists)) {
+      const key = keys[recordIndex];
+      if (key) {
+        missingKeys.push(key);
+      }
+    }
+  });
+  return missingKeys;
+};
+const fetchRedisHashRecords = async (client, keys, logger) => {
+  const rulesPipe = client.multi();
+  const expirationPipe = client.multi();
+  for (const key of keys) {
+    rulesPipe.hGetAll(key);
+    expirationPipe.expireTime(key);
+  }
+  const records = await rulesPipe.exec();
+  const expirationRecords = await expirationPipe.exec();
+  return {
+    records,
+    expirations: parseExpirationRecords(expirationRecords, logger)
+  };
+};
+const parseRedisRecords = (records, recordSchema, logger) => records.flatMap((record) => {
+  const parseResult = recordSchema.safeParse(record);
+  if (parseResult.success) {
+    return [parseResult.data];
+  }
+  logger.error(() => ({
+    msg: "Failed to parse Redis record",
+    data: { record, error: parseResult.error }
+  }));
+  return [];
+});
+const expirationRecordSchema = zod.z.coerce.number();
+const UNSET_EXPIRATION_VALUE = -1;
+const parseExpirationRecords = (records, logger) => records.flatMap((record) => {
+  const parseResult = expirationRecordSchema.safeParse(record);
+  if (parseResult.success) {
+    const expiration = UNSET_EXPIRATION_VALUE === parseResult.data ? void 0 : parseResult.data;
+    return [expiration];
+  }
+  logger.error(() => ({
+    msg: "Failed to parse Redis expiration record",
+    data: {
+      record,
+      error: parseResult.error
+    }
+  }));
+  return [void 0];
+});
+exports.REDIS_BATCH_SIZE = REDIS_BATCH_SIZE;
+exports.fetchRedisHashRecords = fetchRedisHashRecords;
+exports.getMissingRedisKeys = getMissingRedisKeys;
+exports.parseRedisRecords = parseRedisRecords;