npm - @prosopo/user-access-policy - Versions diffs - 3.5.19 → 3.5.28 - Mend

@prosopo/user-access-policy 3.5.19 → 3.5.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (93) hide show

package/CHANGELOG.md +84 -0
package/dist/.export.js +21 -0
package/dist/api/.export.js +11 -0
package/dist/api/delete/.export.js +1 -0
package/dist/api/{deleteAllRulesEndpoint.js → delete/deleteAllRules.js} +10 -9
package/dist/api/delete/deleteRuleGroups.js +52 -0
package/dist/api/delete/deleteRules.js +43 -0
package/dist/api/read/.export.js +1 -0
package/dist/api/read/fetchRules.js +43 -0
package/dist/api/read/findRuleIds.js +50 -0
package/dist/api/read/getMissingIds.js +41 -0
package/dist/api/ruleApiRoutes.js +131 -0
package/dist/api/rulesApiClient.js +93 -0
package/dist/api/write/.export.js +1 -0
package/dist/api/write/insertRules.js +102 -0
package/dist/api/write/rehashRules.js +57 -0
package/dist/cjs/.export.cjs +21 -0
package/dist/cjs/api/.export.cjs +11 -0
package/dist/cjs/api/delete/.export.cjs +1 -0
package/dist/cjs/api/{deleteAllRulesEndpoint.cjs → delete/deleteAllRules.cjs} +9 -8
package/dist/cjs/api/delete/deleteRuleGroups.cjs +52 -0
package/dist/cjs/api/delete/deleteRules.cjs +43 -0
package/dist/cjs/api/read/.export.cjs +1 -0
package/dist/cjs/api/read/fetchRules.cjs +43 -0
package/dist/cjs/api/read/findRuleIds.cjs +50 -0
package/dist/cjs/api/read/getMissingIds.cjs +41 -0
package/dist/cjs/api/ruleApiRoutes.cjs +131 -0
package/dist/cjs/api/rulesApiClient.cjs +93 -0
package/dist/cjs/api/write/.export.cjs +1 -0
package/dist/cjs/api/write/insertRules.cjs +102 -0
package/dist/cjs/api/write/rehashRules.cjs +57 -0
package/dist/cjs/mongoose/.export.cjs +4 -0
package/dist/cjs/mongoose/mongooseRuleSchema.cjs +36 -0
package/dist/cjs/redis/.export.cjs +6 -0
package/dist/cjs/redis/reader/redisAggregate.cjs +60 -0
package/dist/cjs/redis/reader/redisRulesQuery.cjs +99 -0
package/dist/cjs/redis/reader/redisRulesReader.cjs +230 -0
package/dist/cjs/redis/redisClient.cjs +67 -0
package/dist/cjs/redis/redisRuleIndex.cjs +50 -0
package/dist/cjs/redis/redisRulesStorage.cjs +22 -9
package/dist/cjs/redis/redisRulesWriter.cjs +91 -64
package/dist/cjs/rule.cjs +8 -0
package/dist/cjs/ruleInput/.export.cjs +9 -0
package/dist/cjs/ruleInput/policyInput.cjs +25 -0
package/dist/cjs/ruleInput/ruleInput.cjs +50 -0
package/dist/cjs/ruleInput/userScopeInput.cjs +55 -0
package/dist/cjs/ruleRecord.cjs +23 -0
package/dist/cjs/rulesStorage.cjs +8 -0
package/dist/cjs/transformRule.cjs +77 -0
package/dist/mongoose/.export.js +4 -0
package/dist/mongoose/mongooseRuleSchema.js +36 -0
package/dist/redis/.export.js +6 -0
package/dist/redis/reader/redisAggregate.js +60 -0
package/dist/redis/reader/redisRulesQuery.js +99 -0
package/dist/redis/reader/redisRulesReader.js +213 -0
package/dist/redis/redisClient.js +67 -0
package/dist/redis/redisRuleIndex.js +50 -0
package/dist/redis/redisRulesStorage.js +23 -10
package/dist/redis/redisRulesWriter.js +91 -64
package/dist/rule.js +8 -0
package/dist/ruleInput/.export.js +9 -0
package/dist/ruleInput/policyInput.js +25 -0
package/dist/ruleInput/ruleInput.js +50 -0
package/dist/ruleInput/userScopeInput.js +55 -0
package/dist/ruleRecord.js +23 -0
package/dist/rulesStorage.js +8 -0
package/dist/transformRule.js +77 -0
package/entries.ts +20 -0
package/package.json +34 -18
package/vite.cjs.config.ts +4 -1
package/vite.esm.config.ts +6 -1
package/dist/accessPolicy.js +0 -80
package/dist/accessPolicyResolver.js +0 -31
package/dist/accessRules.js +0 -11
package/dist/api/accessRuleApiRoutes.js +0 -79
package/dist/api/accessRulesApiClient.js +0 -38
package/dist/api/deleteRulesEndpoint.js +0 -34
package/dist/api/insertRulesEndpoint.js +0 -62
package/dist/cjs/accessPolicy.cjs +0 -80
package/dist/cjs/accessPolicyResolver.cjs +0 -31
package/dist/cjs/accessRules.cjs +0 -11
package/dist/cjs/api/accessRuleApiRoutes.cjs +0 -79
package/dist/cjs/api/accessRulesApiClient.cjs +0 -38
package/dist/cjs/api/deleteRulesEndpoint.cjs +0 -34
package/dist/cjs/api/insertRulesEndpoint.cjs +0 -62
package/dist/cjs/index.cjs +0 -31
package/dist/cjs/redis/redisRulesIndex.cjs +0 -138
package/dist/cjs/redis/redisRulesReader.cjs +0 -142
package/dist/cjs/util.cjs +0 -5
package/dist/index.js +0 -32
package/dist/redis/redisRulesIndex.js +0 -138
package/dist/redis/redisRulesReader.js +0 -125
package/dist/util.js +0 -5

package/dist/cjs/redis/redisRulesReader.cjs DELETED Viewed

@@ -1,142 +0,0 @@
-"use strict";
-Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const util = require("node:util");
-const accessRules = require("../accessRules.cjs");
-const redisRulesIndex = require("./redisRulesIndex.cjs");
-function _interopNamespaceDefault(e) {
-  const n = Object.create(null, { [Symbol.toStringTag]: { value: "Module" } });
-  if (e) {
-    for (const k in e) {
-      if (k !== "default") {
-        const d = Object.getOwnPropertyDescriptor(e, k);
-        Object.defineProperty(n, k, d.get ? d : {
-          enumerable: true,
-          get: () => e[k]
-        });
-      }
-    }
-  }
-  n.default = e;
-  return Object.freeze(n);
-}
-const util__namespace = /* @__PURE__ */ _interopNamespaceDefault(util);
-const createRedisRulesReader = (client, logger) => {
-  return {
-    findRules: async (filter, matchingFieldsOnly = false, skipEmptyUserScopes = true) => {
-      const query = redisRulesIndex.getRedisRulesQuery(filter, matchingFieldsOnly);
-      if (skipEmptyUserScopes && query === "ismissing(@clientId)") {
-        return [];
-      }
-      let searchReply;
-      try {
-        searchReply = await client.ft.search(
-          redisRulesIndex.redisRulesIndexName,
-          query,
-          redisRulesIndex.redisRulesSearchOptions
-        );
-        if (searchReply.total > 0) {
-          logger.debug(() => ({
-            msg: "Executed search query",
-            data: {
-              inspect: util__namespace.inspect(
-                {
-                  filter,
-                  searchReply,
-                  query
-                },
-                { depth: null }
-              )
-            }
-          }));
-        }
-      } catch (e) {
-        logger.error(() => ({
-          err: e,
-          data: {
-            inspect: util__namespace.inspect(
-              {
-                query,
-                filter
-              },
-              {
-                depth: null
-              }
-            )
-          },
-          msg: "failed to execute search query"
-        }));
-        return [];
-      }
-      return extractRulesFromSearchReply(searchReply, logger);
-    },
-    findRuleIds: async (filter, matchingFieldsOnly = false) => {
-      const query = redisRulesIndex.getRedisRulesQuery(filter, matchingFieldsOnly);
-      let searchReply;
-      try {
-        searchReply = await client.ft.searchNoContent(
-          redisRulesIndex.redisRulesIndexName,
-          query,
-          redisRulesIndex.redisRulesSearchOptions
-        );
-      } catch (e) {
-        logger.error(() => ({
-          err: e,
-          data: {
-            inspect: util__namespace.inspect(
-              {
-                query,
-                filter
-              },
-              {
-                depth: null
-              }
-            )
-          },
-          msg: "Failed to execute search query for rule IDs"
-        }));
-        return [];
-      }
-      return searchReply.documents;
-    }
-  };
-};
-const getDummyRedisRulesReader = (logger) => {
-  return {
-    findRules: async (filter, matchingFieldsOnly = false, skipEmptyUserScopes = true) => {
-      logger.info(() => ({
-        msg: "Dummy findRules() has no effect (redis is not ready)",
-        data: {
-          filter
-        }
-      }));
-      return [];
-    },
-    findRuleIds: async (filter, matchingFieldsOnly = false) => {
-      logger.info(() => ({
-        msg: "Dummy findRuleIds() has no effect (redis is not ready)",
-        data: {
-          filter
-        }
-      }));
-      return [];
-    }
-  };
-};
-const extractRulesFromSearchReply = (searchReply, logger) => {
-  const accessRules$1 = [];
-  searchReply.documents.map(({ id, value: document }) => {
-    const parsedDocument = accessRules.accessRuleSchema.safeParse(document);
-    if (parsedDocument.success) {
-      accessRules$1.push(parsedDocument.data);
-    } else {
-      logger.debug(() => ({
-        msg: "Failed to parse access rule from search reply",
-        id,
-        error: parsedDocument.error
-      }));
-    }
-  });
-  return accessRules$1;
-};
-exports.createRedisRulesReader = createRedisRulesReader;
-exports.getDummyRedisRulesReader = getDummyRedisRulesReader;

package/dist/cjs/util.cjs DELETED Viewed

@@ -1,5 +0,0 @@
-"use strict";
-Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const crypto = require("node:crypto");
-const hashUserAgent = (userAgent) => crypto.createHash("sha256").update(userAgent).digest("hex");
-exports.hashUserAgent = hashUserAgent;

package/dist/index.js DELETED Viewed

@@ -1,32 +0,0 @@
-import { AccessPolicyType, accessPolicySchema, accessRuleSchemaExtended, policyScopeSchema, userScopeInputSchema } from "./accessPolicy.js";
-import { ScopeMatch } from "./accessPolicyResolver.js";
-import { accessRuleSchema } from "./accessRules.js";
-import { AccessRuleApiRoutes } from "./api/accessRuleApiRoutes.js";
-import { accessRuleApiPaths, getExpressApiRuleRateLimits } from "./api/accessRuleApiRoutes.js";
-import { deleteAllRulesEndpointSchema } from "./api/deleteAllRulesEndpoint.js";
-import { deleteRulesEndpointSchema } from "./api/deleteRulesEndpoint.js";
-import { insertRulesEndpointSchema } from "./api/insertRulesEndpoint.js";
-import { createRedisAccessRulesStorage } from "./redis/redisRulesStorage.js";
-import { redisAccessRulesIndex } from "./redis/redisRulesIndex.js";
-import { AccessRulesApiClient } from "./api/accessRulesApiClient.js";
-const createApiRuleRoutesProvider = (rulesStorage) => {
-  return new AccessRuleApiRoutes(rulesStorage);
-};
-export {
-  AccessPolicyType,
-  AccessRulesApiClient,
-  ScopeMatch,
-  accessPolicySchema,
-  accessRuleApiPaths,
-  accessRuleSchema,
-  accessRuleSchemaExtended,
-  createApiRuleRoutesProvider,
-  createRedisAccessRulesStorage,
-  deleteAllRulesEndpointSchema,
-  deleteRulesEndpointSchema,
-  getExpressApiRuleRateLimits,
-  insertRulesEndpointSchema,
-  policyScopeSchema,
-  redisAccessRulesIndex,
-  userScopeInputSchema
-};

package/dist/redis/redisRulesIndex.js DELETED Viewed

@@ -1,138 +0,0 @@
-import { SCHEMA_FIELD_TYPE } from "@redis/search";
-import { userScopeSchema } from "../accessPolicy.js";
-import { ScopeMatch } from "../accessPolicyResolver.js";
-const redisRulesIndexName = "index:user-access-rules";
-const redisRuleKeyPrefix = "uar:";
-const redisAccessRulesIndex = {
-  name: redisRulesIndexName,
-  /**
-   * Note on the field type decision
-   *
-   * TAG is designed for the exact value matching
-   * TEXT is designed for the word-based and pattern matching
-   *
-   * For our goal TAG fits perfectly and, more performant
-   */
-  schema: {
-    clientId: {
-      type: SCHEMA_FIELD_TYPE.TAG,
-      // necessary to make possible use of the ismissing() function on this field in the search
-      INDEXMISSING: true
-    },
-    numericIpMaskMin: { type: SCHEMA_FIELD_TYPE.NUMERIC, INDEXMISSING: true },
-    numericIpMaskMax: { type: SCHEMA_FIELD_TYPE.NUMERIC, INDEXMISSING: true },
-    userId: { type: SCHEMA_FIELD_TYPE.TAG, INDEXMISSING: true },
-    numericIp: { type: SCHEMA_FIELD_TYPE.NUMERIC, INDEXMISSING: true },
-    ja4Hash: { type: SCHEMA_FIELD_TYPE.TAG, INDEXMISSING: true },
-    headersHash: { type: SCHEMA_FIELD_TYPE.TAG, INDEXMISSING: true },
-    userAgentHash: { type: SCHEMA_FIELD_TYPE.TAG, INDEXMISSING: true }
-  },
-  // the satisfy statement is to guarantee that the keys are right
-  options: {
-    ON: "HASH",
-    PREFIX: [redisRuleKeyPrefix]
-  }
-};
-const numericIndexFields = [
-  "numericIp",
-  "numericIpMaskMin",
-  "numericIpMaskMax"
-];
-const greedyFieldComparisons = {
-  numericIp: (value, scope) => {
-    if (value !== void 0) {
-      return `( @numericIp:[${value}] | ( @numericIpMaskMin:[-inf ${value}] @numericIpMaskMax:[${value} +inf] ) )`;
-    }
-    if (scope.numericIpMaskMin === void 0 && scope.numericIpMaskMax === void 0) {
-      return "ismissing(@numericIp) ismissing(@numericIpMaskMin) ismissing(@numericIpMaskMax)";
-    }
-    return "";
-  },
-  numericIpMaskMin: (value, scope) => {
-    if (scope.numericIp !== void 0) {
-      return "";
-    }
-    return value !== void 0 ? `@numericIpMaskMin:[-inf ${value}]` : "ismissing(@numericIpMaskMin)";
-  },
-  numericIpMaskMax: (value, scope) => {
-    if (scope.numericIp !== void 0) {
-      return "";
-    }
-    return value !== void 0 ? `@numericIpMaskMax:[${value} +inf]` : "ismissing(@numericIpMaskMax)";
-  }
-};
-const redisRulesSearchOptions = {
-  // #2 is a required option when the 'ismissing()' function is in the query body
-  DIALECT: 2
-};
-const getRedisRulesQuery = (filter, matchingFieldsOnly) => {
-  const { policyScope, userScope } = filter;
-  const policyScopeFilter = getPolicyScopeQuery(
-    policyScope,
-    filter.policyScopeMatch
-  );
-  if (userScope && Object.keys(userScope).length > 0) {
-    const userScopeFilter = getUserScopeQuery(
-      userScope,
-      filter.userScopeMatch,
-      matchingFieldsOnly
-    );
-    return `${policyScopeFilter} ( ${userScopeFilter} )`;
-  }
-  return policyScopeFilter ? policyScopeFilter : "*";
-};
-const getPolicyScopeQuery = (policyScope, scopeMatchType) => {
-  const clientId = policyScope?.clientId;
-  if ("string" === typeof clientId) {
-    return ScopeMatch.Exact === scopeMatchType ? `@clientId:{${clientId}}` : `( @clientId:{${clientId}} | ismissing(@clientId) )`;
-  }
-  return ScopeMatch.Exact === scopeMatchType ? "ismissing(@clientId)" : "";
-};
-const getUserScopeQuery = (userScope, scopeMatchType, matchingFieldsOnly) => {
-  let scopeEntries = Object.entries(userScope);
-  let scopeJoinType = " ";
-  if (scopeMatchType === ScopeMatch.Greedy) {
-    scopeEntries = scopeEntries.filter(
-      ([_, value]) => value !== void 0
-    );
-    scopeJoinType = " | ";
-  }
-  if (matchingFieldsOnly) {
-    const scopeMap = new Map(scopeEntries);
-    if (scopeMap.has("numericIp") && scopeMap.get("numericIp") === void 0) {
-      scopeMap.set("numericIpMaskMin", void 0);
-      scopeMap.set("numericIpMaskMax", void 0);
-    }
-    for (const name of Object.keys(userScopeSchema.shape)) {
-      if (!scopeMap.has(name)) {
-        scopeMap.set(name, void 0);
-      }
-    }
-    scopeEntries = [...scopeMap.entries()];
-  }
-  const scopeObj = Object.fromEntries(scopeEntries);
-  return scopeEntries.map(
-    ([scopeFieldName, scopeFieldValue]) => getUserScopeFieldQuery(
-      scopeFieldName,
-      scopeFieldValue,
-      scopeMatchType,
-      scopeObj
-    )
-  ).filter(Boolean).join(scopeJoinType);
-};
-const getUserScopeFieldQuery = (fieldName, fieldValue, matchType, fullScope) => {
-  if ("function" === typeof greedyFieldComparisons[fieldName]) {
-    return greedyFieldComparisons[fieldName](fieldValue, fullScope);
-  }
-  if (fieldValue === void 0) {
-    return `ismissing(@${fieldName})`;
-  }
-  return numericIndexFields.includes(fieldName) ? `@${fieldName}:[${fieldValue}]` : `@${fieldName}:{${fieldValue}}`;
-};
-export {
-  getRedisRulesQuery,
-  redisAccessRulesIndex,
-  redisRuleKeyPrefix,
-  redisRulesIndexName,
-  redisRulesSearchOptions
-};

package/dist/redis/redisRulesReader.js DELETED Viewed

@@ -1,125 +0,0 @@
-import * as util from "node:util";
-import { accessRuleSchema } from "../accessRules.js";
-import { getRedisRulesQuery, redisRulesIndexName, redisRulesSearchOptions } from "./redisRulesIndex.js";
-const createRedisRulesReader = (client, logger) => {
-  return {
-    findRules: async (filter, matchingFieldsOnly = false, skipEmptyUserScopes = true) => {
-      const query = getRedisRulesQuery(filter, matchingFieldsOnly);
-      if (skipEmptyUserScopes && query === "ismissing(@clientId)") {
-        return [];
-      }
-      let searchReply;
-      try {
-        searchReply = await client.ft.search(
-          redisRulesIndexName,
-          query,
-          redisRulesSearchOptions
-        );
-        if (searchReply.total > 0) {
-          logger.debug(() => ({
-            msg: "Executed search query",
-            data: {
-              inspect: util.inspect(
-                {
-                  filter,
-                  searchReply,
-                  query
-                },
-                { depth: null }
-              )
-            }
-          }));
-        }
-      } catch (e) {
-        logger.error(() => ({
-          err: e,
-          data: {
-            inspect: util.inspect(
-              {
-                query,
-                filter
-              },
-              {
-                depth: null
-              }
-            )
-          },
-          msg: "failed to execute search query"
-        }));
-        return [];
-      }
-      return extractRulesFromSearchReply(searchReply, logger);
-    },
-    findRuleIds: async (filter, matchingFieldsOnly = false) => {
-      const query = getRedisRulesQuery(filter, matchingFieldsOnly);
-      let searchReply;
-      try {
-        searchReply = await client.ft.searchNoContent(
-          redisRulesIndexName,
-          query,
-          redisRulesSearchOptions
-        );
-      } catch (e) {
-        logger.error(() => ({
-          err: e,
-          data: {
-            inspect: util.inspect(
-              {
-                query,
-                filter
-              },
-              {
-                depth: null
-              }
-            )
-          },
-          msg: "Failed to execute search query for rule IDs"
-        }));
-        return [];
-      }
-      return searchReply.documents;
-    }
-  };
-};
-const getDummyRedisRulesReader = (logger) => {
-  return {
-    findRules: async (filter, matchingFieldsOnly = false, skipEmptyUserScopes = true) => {
-      logger.info(() => ({
-        msg: "Dummy findRules() has no effect (redis is not ready)",
-        data: {
-          filter
-        }
-      }));
-      return [];
-    },
-    findRuleIds: async (filter, matchingFieldsOnly = false) => {
-      logger.info(() => ({
-        msg: "Dummy findRuleIds() has no effect (redis is not ready)",
-        data: {
-          filter
-        }
-      }));
-      return [];
-    }
-  };
-};
-const extractRulesFromSearchReply = (searchReply, logger) => {
-  const accessRules = [];
-  searchReply.documents.map(({ id, value: document }) => {
-    const parsedDocument = accessRuleSchema.safeParse(document);
-    if (parsedDocument.success) {
-      accessRules.push(parsedDocument.data);
-    } else {
-      logger.debug(() => ({
-        msg: "Failed to parse access rule from search reply",
-        id,
-        error: parsedDocument.error
-      }));
-    }
-  });
-  return accessRules;
-};
-export {
-  createRedisRulesReader,
-  getDummyRedisRulesReader
-};

package/dist/util.js DELETED Viewed

@@ -1,5 +0,0 @@
-import crypto from "node:crypto";
-const hashUserAgent = (userAgent) => crypto.createHash("sha256").update(userAgent).digest("hex");
-export {
-  hashUserAgent
-};