@restorecommerce/acs-client 0.6.35 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +38 -0
- package/cfg/config.json +4 -70
- package/lib/acs/authz.d.ts +9 -7
- package/lib/acs/authz.js +65 -37
- package/lib/acs/authz.js.map +1 -1
- package/lib/acs/cache.js +5 -1
- package/lib/acs/cache.js.map +1 -1
- package/lib/acs/interfaces.d.ts +13 -75
- package/lib/acs/interfaces.js +1 -41
- package/lib/acs/interfaces.js.map +1 -1
- package/lib/acs/resolver.d.ts +9 -11
- package/lib/acs/resolver.js +57 -42
- package/lib/acs/resolver.js.map +1 -1
- package/lib/index.js +5 -1
- package/lib/index.js.map +1 -1
- package/lib/utils.d.ts +6 -4
- package/lib/utils.js +31 -25
- package/lib/utils.js.map +1 -1
- package/package.json +21 -19
- package/tsconfig.test.json +1 -2
package/lib/acs/interfaces.d.ts
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
import { Attribute } from '@restorecommerce/rc-grpc-clients/dist/generated-server/io/restorecommerce/attribute';
|
|
2
|
+
import { RoleAssociation, Subject, DeepPartial } from '@restorecommerce/rc-grpc-clients/dist/generated-server/io/restorecommerce/auth';
|
|
3
|
+
import { Meta } from '@restorecommerce/rc-grpc-clients/dist/generated-server/io/restorecommerce/meta';
|
|
4
|
+
import { FilterOp } from '@restorecommerce/rc-grpc-clients/dist/generated-server/io/restorecommerce/resource_base';
|
|
5
|
+
import { Response_Decision } from '@restorecommerce/rc-grpc-clients/dist/generated-server/io/restorecommerce/access_control';
|
|
6
|
+
import { Effect } from '@restorecommerce/rc-grpc-clients/dist/generated-server/io/restorecommerce/rule';
|
|
1
7
|
export declare enum AuthZAction {
|
|
2
8
|
CREATE = "CREATE",
|
|
3
9
|
READ = "READ",
|
|
@@ -27,7 +33,7 @@ export interface CtxResource {
|
|
|
27
33
|
[key: string]: any;
|
|
28
34
|
}
|
|
29
35
|
export interface ACSClientContext {
|
|
30
|
-
subject?: Subject
|
|
36
|
+
subject?: DeepPartial<Subject>;
|
|
31
37
|
resources?: CtxResource[];
|
|
32
38
|
}
|
|
33
39
|
export interface Database {
|
|
@@ -50,23 +56,12 @@ export interface ResolvedSubject {
|
|
|
50
56
|
role_associations?: RoleAssociation[];
|
|
51
57
|
hierarchical_scopes?: HierarchicalScope[];
|
|
52
58
|
}
|
|
53
|
-
export interface Subject {
|
|
54
|
-
id?: string;
|
|
55
|
-
scope?: string;
|
|
56
|
-
unauthenticated?: boolean;
|
|
57
|
-
token?: string;
|
|
58
|
-
}
|
|
59
|
-
export declare enum Decision {
|
|
60
|
-
PERMIT = "PERMIT",
|
|
61
|
-
DENY = "DENY",
|
|
62
|
-
INDETERMINATE = "INDETERMINATE"
|
|
63
|
-
}
|
|
64
59
|
export interface Obligation {
|
|
65
60
|
resource: string;
|
|
66
61
|
property: string[];
|
|
67
62
|
}
|
|
68
63
|
export interface DecisionResponse {
|
|
69
|
-
decision:
|
|
64
|
+
decision: Response_Decision;
|
|
70
65
|
obligation?: Obligation[];
|
|
71
66
|
operation_status: {
|
|
72
67
|
code: number;
|
|
@@ -83,7 +78,7 @@ export interface Request<TTarget, TContext> {
|
|
|
83
78
|
context: TContext;
|
|
84
79
|
}
|
|
85
80
|
export interface Response {
|
|
86
|
-
decision:
|
|
81
|
+
decision: Response_Decision;
|
|
87
82
|
}
|
|
88
83
|
/**
|
|
89
84
|
* isAllowed Authorization interface
|
|
@@ -107,7 +102,7 @@ export interface AuthZContext {
|
|
|
107
102
|
}
|
|
108
103
|
export interface ResourceData {
|
|
109
104
|
id: string;
|
|
110
|
-
meta:
|
|
105
|
+
meta: Meta;
|
|
111
106
|
[key: string]: any;
|
|
112
107
|
}
|
|
113
108
|
export interface AuthZRequest extends Request<AuthZTarget, AuthZContext> {
|
|
@@ -115,7 +110,7 @@ export interface AuthZRequest extends Request<AuthZTarget, AuthZContext> {
|
|
|
115
110
|
context: AuthZContext;
|
|
116
111
|
}
|
|
117
112
|
export interface AuthZResponse extends Response {
|
|
118
|
-
decision:
|
|
113
|
+
decision: Response_Decision;
|
|
119
114
|
obligation: string;
|
|
120
115
|
}
|
|
121
116
|
export interface IAuthZ extends AuthZ<AuthZSubject | UnauthenticatedData, AuthZContext, Resource[], AuthZAction> {
|
|
@@ -138,21 +133,6 @@ export interface UnauthenticatedSession {
|
|
|
138
133
|
export interface UnauthenticatedData {
|
|
139
134
|
unauthenticated: true;
|
|
140
135
|
}
|
|
141
|
-
export interface Attribute {
|
|
142
|
-
id: string;
|
|
143
|
-
value: string;
|
|
144
|
-
attribute?: Attribute[];
|
|
145
|
-
}
|
|
146
|
-
export interface RoleAssociation {
|
|
147
|
-
role: string;
|
|
148
|
-
attributes?: Attribute[];
|
|
149
|
-
}
|
|
150
|
-
export interface MetaInfo {
|
|
151
|
-
created: number;
|
|
152
|
-
modified: number;
|
|
153
|
-
modified_by: string;
|
|
154
|
-
owner: Attribute[];
|
|
155
|
-
}
|
|
156
136
|
export interface UserScope {
|
|
157
137
|
role_associations: RoleAssociation[];
|
|
158
138
|
scopeOrganization: string;
|
|
@@ -169,27 +149,9 @@ export interface PolicySetRQ extends AccessControlObjectInterface {
|
|
|
169
149
|
combining_algorithm?: string;
|
|
170
150
|
policies?: PolicyRQ[];
|
|
171
151
|
}
|
|
172
|
-
export declare enum FilterValueType {
|
|
173
|
-
STRING = 0,
|
|
174
|
-
NUMBER = 1,
|
|
175
|
-
BOOLEAN = 2,
|
|
176
|
-
DATE = 3,
|
|
177
|
-
ARRAY = 4
|
|
178
|
-
}
|
|
179
|
-
export interface Filter {
|
|
180
|
-
field: string;
|
|
181
|
-
operation: FilterOperation;
|
|
182
|
-
value: string;
|
|
183
|
-
type?: FilterValueType;
|
|
184
|
-
filters?: Filters[];
|
|
185
|
-
}
|
|
186
|
-
export interface Filters {
|
|
187
|
-
filter?: Filter[];
|
|
188
|
-
operator?: OperatorType;
|
|
189
|
-
}
|
|
190
152
|
export interface ResourceFilterMap {
|
|
191
153
|
resource: string;
|
|
192
|
-
filters:
|
|
154
|
+
filters: FilterOp[];
|
|
193
155
|
}
|
|
194
156
|
export interface CustomQueryArgs {
|
|
195
157
|
resource: string;
|
|
@@ -201,7 +163,7 @@ export interface PolicySetRQResponse extends AccessControlObjectInterface {
|
|
|
201
163
|
filters?: ResourceFilterMap[];
|
|
202
164
|
custom_query_args?: CustomQueryArgs[];
|
|
203
165
|
obligation?: Obligation[];
|
|
204
|
-
decision:
|
|
166
|
+
decision: Response_Decision;
|
|
205
167
|
operation_status: {
|
|
206
168
|
code: number;
|
|
207
169
|
message: string;
|
|
@@ -219,15 +181,6 @@ export interface AttributeTarget {
|
|
|
219
181
|
resources: Attribute[];
|
|
220
182
|
action: Attribute[];
|
|
221
183
|
}
|
|
222
|
-
export declare enum Effect {
|
|
223
|
-
PERMIT = "PERMIT",
|
|
224
|
-
DENY = "DENY",
|
|
225
|
-
INDETERMINATE = "INDETERMINATE"
|
|
226
|
-
}
|
|
227
|
-
export interface ACSRequest {
|
|
228
|
-
target: TargetReq;
|
|
229
|
-
context: Context;
|
|
230
|
-
}
|
|
231
184
|
export interface TargetReq {
|
|
232
185
|
subject: Attribute[];
|
|
233
186
|
resources: Attribute[];
|
|
@@ -238,18 +191,3 @@ export interface Context {
|
|
|
238
191
|
resources: any[];
|
|
239
192
|
security: any;
|
|
240
193
|
}
|
|
241
|
-
export declare enum FilterOperation {
|
|
242
|
-
eq = 0,
|
|
243
|
-
lt = 1,
|
|
244
|
-
lte = 2,
|
|
245
|
-
gt = 3,
|
|
246
|
-
gte = 4,
|
|
247
|
-
isEmpty = 5,
|
|
248
|
-
iLike = 6,
|
|
249
|
-
in = 7,
|
|
250
|
-
neq = 8
|
|
251
|
-
}
|
|
252
|
-
export declare enum OperatorType {
|
|
253
|
-
and = 0,
|
|
254
|
-
or = 1
|
|
255
|
-
}
|
package/lib/acs/interfaces.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.
|
|
3
|
+
exports.Operation = exports.AuthZAction = void 0;
|
|
4
4
|
var AuthZAction;
|
|
5
5
|
(function (AuthZAction) {
|
|
6
6
|
AuthZAction["CREATE"] = "CREATE";
|
|
@@ -17,45 +17,5 @@ var Operation;
|
|
|
17
17
|
Operation["whatIsAllowed"] = "whatIsAllowed";
|
|
18
18
|
})(Operation = exports.Operation || (exports.Operation = {}));
|
|
19
19
|
;
|
|
20
|
-
var Decision;
|
|
21
|
-
(function (Decision) {
|
|
22
|
-
Decision["PERMIT"] = "PERMIT";
|
|
23
|
-
Decision["DENY"] = "DENY";
|
|
24
|
-
Decision["INDETERMINATE"] = "INDETERMINATE";
|
|
25
|
-
})(Decision = exports.Decision || (exports.Decision = {}));
|
|
26
|
-
;
|
|
27
|
-
var FilterValueType;
|
|
28
|
-
(function (FilterValueType) {
|
|
29
|
-
FilterValueType[FilterValueType["STRING"] = 0] = "STRING";
|
|
30
|
-
FilterValueType[FilterValueType["NUMBER"] = 1] = "NUMBER";
|
|
31
|
-
FilterValueType[FilterValueType["BOOLEAN"] = 2] = "BOOLEAN";
|
|
32
|
-
FilterValueType[FilterValueType["DATE"] = 3] = "DATE";
|
|
33
|
-
FilterValueType[FilterValueType["ARRAY"] = 4] = "ARRAY";
|
|
34
|
-
})(FilterValueType = exports.FilterValueType || (exports.FilterValueType = {}));
|
|
35
|
-
;
|
|
36
|
-
var Effect;
|
|
37
|
-
(function (Effect) {
|
|
38
|
-
Effect["PERMIT"] = "PERMIT";
|
|
39
|
-
Effect["DENY"] = "DENY";
|
|
40
|
-
Effect["INDETERMINATE"] = "INDETERMINATE";
|
|
41
|
-
})(Effect = exports.Effect || (exports.Effect = {}));
|
|
42
|
-
var FilterOperation;
|
|
43
|
-
(function (FilterOperation) {
|
|
44
|
-
FilterOperation[FilterOperation["eq"] = 0] = "eq";
|
|
45
|
-
FilterOperation[FilterOperation["lt"] = 1] = "lt";
|
|
46
|
-
FilterOperation[FilterOperation["lte"] = 2] = "lte";
|
|
47
|
-
FilterOperation[FilterOperation["gt"] = 3] = "gt";
|
|
48
|
-
FilterOperation[FilterOperation["gte"] = 4] = "gte";
|
|
49
|
-
FilterOperation[FilterOperation["isEmpty"] = 5] = "isEmpty";
|
|
50
|
-
FilterOperation[FilterOperation["iLike"] = 6] = "iLike";
|
|
51
|
-
FilterOperation[FilterOperation["in"] = 7] = "in";
|
|
52
|
-
FilterOperation[FilterOperation["neq"] = 8] = "neq";
|
|
53
|
-
})(FilterOperation = exports.FilterOperation || (exports.FilterOperation = {}));
|
|
54
|
-
;
|
|
55
|
-
var OperatorType;
|
|
56
|
-
(function (OperatorType) {
|
|
57
|
-
OperatorType[OperatorType["and"] = 0] = "and";
|
|
58
|
-
OperatorType[OperatorType["or"] = 1] = "or";
|
|
59
|
-
})(OperatorType = exports.OperatorType || (exports.OperatorType = {}));
|
|
60
20
|
;
|
|
61
21
|
//# sourceMappingURL=interfaces.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"interfaces.js","sourceRoot":"","sources":["../../src/acs/interfaces.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"interfaces.js","sourceRoot":"","sources":["../../src/acs/interfaces.ts"],"names":[],"mappings":";;;AAaA,IAAY,WAQX;AARD,WAAY,WAAW;IACrB,gCAAiB,CAAA;IACjB,4BAAa,CAAA;IACb,gCAAiB,CAAA;IACjB,gCAAiB,CAAA;IACjB,kCAAmB,CAAA;IACnB,4BAAa,CAAA;IACb,wBAAS,CAAA;AACX,CAAC,EARW,WAAW,GAAX,mBAAW,KAAX,mBAAW,QAQtB;AAED,IAAY,SAGX;AAHD,WAAY,SAAS;IACnB,oCAAuB,CAAA;IACvB,4CAA+B,CAAA;AACjC,CAAC,EAHW,SAAS,GAAT,iBAAS,KAAT,iBAAS,QAGpB;AA0BA,CAAC;AAkCD,CAAC"}
|
package/lib/acs/resolver.d.ts
CHANGED
|
@@ -1,6 +1,9 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { ACSClientContext, DecisionResponse, PolicySetRQResponse, Operation, Resource } from './interfaces';
|
|
2
2
|
import { AuthZAction } from './interfaces';
|
|
3
3
|
import { ACSAuthZ } from './authz';
|
|
4
|
+
import { Subject, DeepPartial } from '@restorecommerce/rc-grpc-clients/dist/generated-server/io/restorecommerce/auth';
|
|
5
|
+
import { Request } from '@restorecommerce/rc-grpc-clients/dist/generated-server/io/restorecommerce/access_control';
|
|
6
|
+
import { FilterOp } from '@restorecommerce/rc-grpc-clients/dist/generated-server/io/restorecommerce/resource_base';
|
|
4
7
|
export declare const isAllowedRequest: (subject: Subject, resource: Resource[], action: AuthZAction, ctx: ACSClientContext, useCache: boolean) => Promise<DecisionResponse>;
|
|
5
8
|
/**
|
|
6
9
|
* It turns an API request as can be found in typical Web frameworks like express, koa etc.
|
|
@@ -20,7 +23,7 @@ export declare const isAllowedRequest: (subject: Subject, resource: Resource[],
|
|
|
20
23
|
* is not used and ACS request is made to `access-control-srv`
|
|
21
24
|
* @returns {DecisionResponse | PolicySetRQResponse}
|
|
22
25
|
*/
|
|
23
|
-
export declare const accessRequest: (subject: Subject
|
|
26
|
+
export declare const accessRequest: (subject: DeepPartial<Subject>, resource: Resource[], action: AuthZAction, ctx: ACSClientContext, operation?: Operation, database?: 'arangoDB' | 'postgres', useCache?: boolean) => Promise<DecisionResponse | PolicySetRQResponse>;
|
|
24
27
|
/**
|
|
25
28
|
* Exposes the isAllowed() api of `access-control-srv` and retruns the response
|
|
26
29
|
* as `Decision`.
|
|
@@ -28,15 +31,15 @@ export declare const accessRequest: (subject: Subject, resource: Resource[], act
|
|
|
28
31
|
* @param {ACSContext} ctx Context Object containing requester's subject information
|
|
29
32
|
* @return {Decision} PERMIT or DENY or INDETERMINATE
|
|
30
33
|
*/
|
|
31
|
-
export declare const isAllowed: (request:
|
|
34
|
+
export declare const isAllowed: (request: Request, authZ: ACSAuthZ) => Promise<DecisionResponse>;
|
|
32
35
|
/**
|
|
33
36
|
* Exposes the whatIsAllowed() api of `access-control-srv` and retruns the response
|
|
34
37
|
* a policy set reverse query `PolicySetRQ`
|
|
35
38
|
* @param {ACSRequest} authZRequest input authorization request
|
|
36
39
|
* @param {ACSContext} ctx Context Object containing requester's subject information
|
|
37
|
-
* @return {PolicySetRQ} set of
|
|
40
|
+
* @return {PolicySetRQ} set of applicable policies and rules for the input request
|
|
38
41
|
*/
|
|
39
|
-
export declare const whatIsAllowed: (request:
|
|
42
|
+
export declare const whatIsAllowed: (request: Request, authZ: ACSAuthZ) => Promise<PolicySetRQResponse>;
|
|
40
43
|
export interface Output {
|
|
41
44
|
details?: PayloadStatus[];
|
|
42
45
|
error?: OutputError;
|
|
@@ -61,7 +64,7 @@ export interface LoginError {
|
|
|
61
64
|
message: string;
|
|
62
65
|
}
|
|
63
66
|
export interface QueryArguments {
|
|
64
|
-
filters?:
|
|
67
|
+
filters?: FilterOp[];
|
|
65
68
|
limit?: any;
|
|
66
69
|
sort?: any;
|
|
67
70
|
offset?: any;
|
|
@@ -75,8 +78,3 @@ export interface RoleRequest {
|
|
|
75
78
|
role: string;
|
|
76
79
|
organizations: string[];
|
|
77
80
|
}
|
|
78
|
-
export interface FilterType {
|
|
79
|
-
field?: string;
|
|
80
|
-
value?: string;
|
|
81
|
-
operation: Object;
|
|
82
|
-
}
|
package/lib/acs/resolver.js
CHANGED
|
@@ -1,7 +1,11 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
3
|
if (k2 === undefined) k2 = k;
|
|
4
|
-
Object.
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
5
9
|
}) : (function(o, m, k, k2) {
|
|
6
10
|
if (k2 === undefined) k2 = k;
|
|
7
11
|
o[k2] = m[k];
|
|
@@ -30,6 +34,8 @@ const config_1 = require("../config");
|
|
|
30
34
|
const utils_1 = require("../utils");
|
|
31
35
|
const grpc_client_1 = require("@restorecommerce/grpc-client");
|
|
32
36
|
const authz_1 = require("./authz");
|
|
37
|
+
const access_control_1 = require("@restorecommerce/rc-grpc-clients/dist/generated-server/io/restorecommerce/access_control");
|
|
38
|
+
const access_control_2 = require("@restorecommerce/rc-grpc-clients/dist/generated-server/io/restorecommerce/access_control");
|
|
33
39
|
const subjectIsUnauthenticated = (subject) => {
|
|
34
40
|
return !!subject
|
|
35
41
|
&& 'unauthenticated' in subject && subject['unauthenticated'];
|
|
@@ -37,9 +43,12 @@ const subjectIsUnauthenticated = (subject) => {
|
|
|
37
43
|
const whatIsAllowedRequest = async (subject, resource, action, ctx, useCache) => {
|
|
38
44
|
if (subjectIsUnauthenticated(subject)) {
|
|
39
45
|
const grpcConfig = config_1.cfg.get('client:acs-srv');
|
|
40
|
-
const
|
|
41
|
-
const
|
|
42
|
-
|
|
46
|
+
const channel = (0, grpc_client_1.createChannel)(grpcConfig.address);
|
|
47
|
+
const acsClient = (0, grpc_client_1.createClient)({
|
|
48
|
+
...grpcConfig,
|
|
49
|
+
logger: logger_1.default
|
|
50
|
+
}, access_control_2.ServiceDefinition, channel);
|
|
51
|
+
return await new authz_1.UnAuthZ(acsClient).whatIsAllowed({
|
|
43
52
|
target: {
|
|
44
53
|
subject: subject, resource, action
|
|
45
54
|
},
|
|
@@ -54,7 +63,7 @@ const whatIsAllowedRequest = async (subject, resource, action, ctx, useCache) =>
|
|
|
54
63
|
security: {}
|
|
55
64
|
},
|
|
56
65
|
target: {
|
|
57
|
-
subject,
|
|
66
|
+
subject: subject,
|
|
58
67
|
resource,
|
|
59
68
|
action
|
|
60
69
|
}
|
|
@@ -64,9 +73,12 @@ const whatIsAllowedRequest = async (subject, resource, action, ctx, useCache) =>
|
|
|
64
73
|
const isAllowedRequest = async (subject, resource, action, ctx, useCache) => {
|
|
65
74
|
if (subjectIsUnauthenticated(subject)) {
|
|
66
75
|
const grpcConfig = config_1.cfg.get('client:acs-srv');
|
|
67
|
-
const
|
|
68
|
-
const
|
|
69
|
-
|
|
76
|
+
const channel = (0, grpc_client_1.createChannel)(grpcConfig.address);
|
|
77
|
+
const acsClient = (0, grpc_client_1.createClient)({
|
|
78
|
+
...grpcConfig,
|
|
79
|
+
logger: logger_1.default
|
|
80
|
+
}, access_control_2.ServiceDefinition, channel);
|
|
81
|
+
return await new authz_1.UnAuthZ(acsClient).isAllowed({
|
|
70
82
|
target: {
|
|
71
83
|
subject: subject, resource, action
|
|
72
84
|
},
|
|
@@ -121,7 +133,7 @@ const accessRequest = async (subject, resource, action, ctx, operation, database
|
|
|
121
133
|
if (token) {
|
|
122
134
|
const configuredApiKey = config_1.cfg.get('authentication:apiKey');
|
|
123
135
|
if (configuredApiKey === token) {
|
|
124
|
-
return { decision:
|
|
136
|
+
return { decision: access_control_1.Response_Decision.PERMIT, operation_status: (0, utils_1.generateOperationStatus)(200, 'success') };
|
|
125
137
|
}
|
|
126
138
|
}
|
|
127
139
|
let authzEnabled = config_1.cfg.get('authorization:enabled');
|
|
@@ -136,10 +148,10 @@ const accessRequest = async (subject, resource, action, ctx, operation, database
|
|
|
136
148
|
}
|
|
137
149
|
// if authorization is disabled
|
|
138
150
|
if (!authzEnabled) {
|
|
139
|
-
return { decision:
|
|
151
|
+
return { decision: access_control_1.Response_Decision.PERMIT, operation_status: (0, utils_1.generateOperationStatus)(200, 'success') };
|
|
140
152
|
}
|
|
141
153
|
if (_.isEmpty(subject)) {
|
|
142
|
-
return { decision:
|
|
154
|
+
return { decision: access_control_1.Response_Decision.DENY, operation_status: (0, utils_1.generateOperationStatus)(config_1.errors.USER_NOT_LOGGED_IN.code, config_1.errors.USER_NOT_LOGGED_IN.message) };
|
|
143
155
|
}
|
|
144
156
|
let subjectID;
|
|
145
157
|
let targetScope = subject.scope;
|
|
@@ -156,7 +168,7 @@ const accessRequest = async (subject, resource, action, ctx, operation, database
|
|
|
156
168
|
const details = 'Entity missing';
|
|
157
169
|
logger_1.default.verbose(msg);
|
|
158
170
|
logger_1.default.verbose('Details:', { details });
|
|
159
|
-
return { decision:
|
|
171
|
+
return { decision: access_control_1.Response_Decision.DENY, operation_status: (0, utils_1.generateOperationStatus)(Number(config_1.errors.ACTION_NOT_ALLOWED.code), msg) };
|
|
160
172
|
}
|
|
161
173
|
// default ACS operation is isAllowed
|
|
162
174
|
if (!operation) {
|
|
@@ -181,7 +193,7 @@ const accessRequest = async (subject, resource, action, ctx, operation, database
|
|
|
181
193
|
}
|
|
182
194
|
catch (err) {
|
|
183
195
|
logger_1.default.error('Error calling whatIsAllowed operation', { code: err.code, message: err.message, stack: err.stack });
|
|
184
|
-
return { decision:
|
|
196
|
+
return { decision: access_control_1.Response_Decision.DENY, operation_status: (0, utils_1.generateOperationStatus)(err.code, err.message) };
|
|
185
197
|
}
|
|
186
198
|
// handle case if policySet is empty
|
|
187
199
|
if ((!policySetResponse || _.isEmpty(policySetResponse.policy_sets)) && authzEnforced) {
|
|
@@ -190,7 +202,7 @@ const accessRequest = async (subject, resource, action, ctx, operation, database
|
|
|
190
202
|
const details = 'no matching policy/rule could be found';
|
|
191
203
|
logger_1.default.verbose(msg);
|
|
192
204
|
logger_1.default.verbose('Details:', { details });
|
|
193
|
-
return { decision:
|
|
205
|
+
return { decision: access_control_1.Response_Decision.DENY, operation_status: (0, utils_1.generateOperationStatus)(Number(config_1.errors.ACTION_NOT_ALLOWED.code), msg) };
|
|
194
206
|
}
|
|
195
207
|
if ((!policySetResponse || _.isEmpty(policySetResponse.policy_sets)) && !authzEnforced) {
|
|
196
208
|
logger_1.default.verbose(`The Access response was INDETERMIATE for a request with subject:` +
|
|
@@ -205,7 +217,7 @@ const accessRequest = async (subject, resource, action, ctx, operation, database
|
|
|
205
217
|
}
|
|
206
218
|
policySetResponse.filters = resourceFilters.resourceFilterMap;
|
|
207
219
|
policySetResponse.custom_query_args = resourceFilters.customQueryArgs;
|
|
208
|
-
policySetResponse.decision =
|
|
220
|
+
policySetResponse.decision = access_control_1.Response_Decision.PERMIT; // Adding Permit to read response (since we no longer throw errorrs)
|
|
209
221
|
policySetResponse.operation_status = (0, utils_1.generateOperationStatus)(200, 'success');
|
|
210
222
|
return policySetResponse;
|
|
211
223
|
}
|
|
@@ -221,7 +233,7 @@ const accessRequest = async (subject, resource, action, ctx, operation, database
|
|
|
221
233
|
resourceString = JSON.stringify(resourceList);
|
|
222
234
|
}
|
|
223
235
|
// default deny
|
|
224
|
-
let decisionResponse = { decision:
|
|
236
|
+
let decisionResponse = { decision: access_control_1.Response_Decision.DENY, operation_status: { code: 0, message: '' } };
|
|
225
237
|
// isAllowed operation
|
|
226
238
|
if (operation === interfaces_1.Operation.isAllowed) {
|
|
227
239
|
// authorization
|
|
@@ -230,35 +242,35 @@ const accessRequest = async (subject, resource, action, ctx, operation, database
|
|
|
230
242
|
}
|
|
231
243
|
catch (err) {
|
|
232
244
|
logger_1.default.error('Error calling isAllowed operation', { code: err.code, message: err.message, stack: err.stack });
|
|
233
|
-
return { decision:
|
|
245
|
+
return { decision: access_control_1.Response_Decision.DENY, operation_status: (0, utils_1.generateOperationStatus)(err.code, err.message) };
|
|
234
246
|
}
|
|
235
|
-
if (decisionResponse && decisionResponse.decision !=
|
|
247
|
+
if (decisionResponse && decisionResponse.decision != access_control_1.Response_Decision.PERMIT && authzEnforced) {
|
|
236
248
|
let details = '';
|
|
237
|
-
if (decisionResponse.decision ===
|
|
249
|
+
if (decisionResponse.decision === access_control_1.Response_Decision.INDETERMINATE) {
|
|
238
250
|
details = 'No matching policy / rule was found';
|
|
239
251
|
}
|
|
240
|
-
else if (decisionResponse.decision ===
|
|
252
|
+
else if (decisionResponse.decision === access_control_1.Response_Decision.DENY) {
|
|
241
253
|
details = `Subject:${subjectID} does not have access to requested target scope ${targetScope}`;
|
|
242
254
|
}
|
|
243
255
|
const msg = `Access not allowed for request with subject:${subjectID}, ` +
|
|
244
|
-
`resource:${resourceString}, action:${action}, target_scope:${targetScope}; the response was ${decisionResponse.decision}`;
|
|
256
|
+
`resource:${resourceString}, action:${action}, target_scope:${targetScope}; the response was ${access_control_1.Response_Decision[decisionResponse.decision]}`;
|
|
245
257
|
logger_1.default.verbose(msg);
|
|
246
258
|
logger_1.default.verbose('Details:', { details });
|
|
247
|
-
return { decision:
|
|
259
|
+
return { decision: access_control_1.Response_Decision.DENY, operation_status: (0, utils_1.generateOperationStatus)(Number(config_1.errors.ACTION_NOT_ALLOWED.code), msg) };
|
|
248
260
|
}
|
|
249
261
|
}
|
|
250
|
-
if (!authzEnforced && decisionResponse && decisionResponse.decision !=
|
|
262
|
+
if (!authzEnforced && decisionResponse && decisionResponse.decision != access_control_1.Response_Decision.PERMIT) {
|
|
251
263
|
let details = '';
|
|
252
|
-
if (decisionResponse.decision ===
|
|
264
|
+
if (decisionResponse.decision === access_control_1.Response_Decision.INDETERMINATE) {
|
|
253
265
|
details = 'No matching policy / rule was found';
|
|
254
266
|
}
|
|
255
|
-
else if (decisionResponse.decision ===
|
|
267
|
+
else if (decisionResponse.decision === access_control_1.Response_Decision.DENY) {
|
|
256
268
|
details = `Subject:${subjectID} does not have access to requested target scope ${targetScope}`;
|
|
257
269
|
}
|
|
258
270
|
logger_1.default.verbose(`Access not allowed for request with subject:${subjectID}, ` +
|
|
259
|
-
`resource:${resourceString}, action:${action}, target_scope:${targetScope}; the response was ${decisionResponse.decision}`);
|
|
271
|
+
`resource:${resourceString}, action:${action}, target_scope:${targetScope}; the response was ${access_control_1.Response_Decision[decisionResponse.decision]}`);
|
|
260
272
|
logger_1.default.verbose(`${details}, Overriding the ACS result as ACS enforce config is disabled`);
|
|
261
|
-
decisionResponse.decision =
|
|
273
|
+
decisionResponse.decision = access_control_1.Response_Decision.PERMIT;
|
|
262
274
|
}
|
|
263
275
|
return decisionResponse;
|
|
264
276
|
};
|
|
@@ -271,18 +283,20 @@ exports.accessRequest = accessRequest;
|
|
|
271
283
|
* @return {Decision} PERMIT or DENY or INDETERMINATE
|
|
272
284
|
*/
|
|
273
285
|
const isAllowed = async (request, authZ) => {
|
|
274
|
-
let
|
|
286
|
+
let response;
|
|
275
287
|
try {
|
|
276
|
-
isAllowedResponse = await authZ.acs.isAllowed(request);
|
|
277
|
-
|
|
278
|
-
isAllowedResponse.
|
|
279
|
-
|
|
288
|
+
const isAllowedResponse = await authZ.acs.isAllowed(request);
|
|
289
|
+
response = {
|
|
290
|
+
decision: isAllowedResponse.decision,
|
|
291
|
+
obligation: (0, utils_1.mapResourceURNObligationProperties)(isAllowedResponse.obligation),
|
|
292
|
+
operation_status: isAllowedResponse.operation_status
|
|
293
|
+
};
|
|
280
294
|
}
|
|
281
295
|
catch (err) {
|
|
282
296
|
logger_1.default.error('Error invoking acs-srv isAllowed method', { code: err.code, message: err.message, stack: err.stack });
|
|
283
|
-
return { decision:
|
|
297
|
+
return { decision: access_control_1.Response_Decision.DENY, operation_status: (0, utils_1.generateOperationStatus)(err.code, err.message) };
|
|
284
298
|
}
|
|
285
|
-
return
|
|
299
|
+
return response;
|
|
286
300
|
};
|
|
287
301
|
exports.isAllowed = isAllowed;
|
|
288
302
|
/**
|
|
@@ -290,21 +304,22 @@ exports.isAllowed = isAllowed;
|
|
|
290
304
|
* a policy set reverse query `PolicySetRQ`
|
|
291
305
|
* @param {ACSRequest} authZRequest input authorization request
|
|
292
306
|
* @param {ACSContext} ctx Context Object containing requester's subject information
|
|
293
|
-
* @return {PolicySetRQ} set of
|
|
307
|
+
* @return {PolicySetRQ} set of applicable policies and rules for the input request
|
|
294
308
|
*/
|
|
295
309
|
const whatIsAllowed = async (request, authZ) => {
|
|
296
|
-
let
|
|
310
|
+
let response;
|
|
297
311
|
try {
|
|
298
|
-
whatIsAllowedResponse = await authZ.acs.whatIsAllowed(request);
|
|
299
|
-
|
|
300
|
-
whatIsAllowedResponse
|
|
301
|
-
|
|
312
|
+
const whatIsAllowedResponse = await authZ.acs.whatIsAllowed(request);
|
|
313
|
+
response = {
|
|
314
|
+
...whatIsAllowedResponse,
|
|
315
|
+
obligation: (0, utils_1.mapResourceURNObligationProperties)(whatIsAllowedResponse.obligation)
|
|
316
|
+
}; // TODO Decision?
|
|
302
317
|
}
|
|
303
318
|
catch (err) {
|
|
304
319
|
logger_1.default.error('Error invoking acs-srv whatIsAllowed method', { code: err.code, message: err.message, stack: err.stack });
|
|
305
|
-
return { decision:
|
|
320
|
+
return { decision: access_control_1.Response_Decision.DENY, policy_sets: [], operation_status: (0, utils_1.generateOperationStatus)(err.code, err.message) };
|
|
306
321
|
}
|
|
307
|
-
return
|
|
322
|
+
return response;
|
|
308
323
|
};
|
|
309
324
|
exports.whatIsAllowed = whatIsAllowed;
|
|
310
325
|
//# sourceMappingURL=resolver.js.map
|
package/lib/acs/resolver.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"resolver.js","sourceRoot":"","sources":["../../src/acs/resolver.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"resolver.js","sourceRoot":"","sources":["../../src/acs/resolver.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,0CAA4B;AAC5B,6CAGsB;AAEtB,uDAA+B;AAC/B,sCAAwC;AACxC,oCAAmI;AACnI,8DAA2E;AAC3E,mCAAmD;AAEnD,6HAGkG;AAElG,6HAA6H;AAG7H,MAAM,wBAAwB,GAAG,CAAC,OAAY,EAAqC,EAAE;IACnF,OAAO,CAAC,CAAC,OAAO;WACX,iBAAiB,IAAI,OAAO,IAAI,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAClE,CAAC,CAAC;AAEF,MAAM,oBAAoB,GAAG,KAAK,EAAE,OAA6B,EAAE,QAAoB,EACrF,MAAmB,EAAE,GAAqB,EAAE,QAAiB,EAAE,EAAE;IACjE,IAAI,wBAAwB,CAAC,OAAO,CAAC,EAAE;QACrC,MAAM,UAAU,GAAG,YAAG,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,IAAA,2BAAa,EAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAClD,MAAM,SAAS,GAAG,IAAA,0BAAY,EAAC;YAC7B,GAAG,UAAU;YACb,MAAM,EAAN,gBAAM;SACP,EAAE,kCAAiB,EAAE,OAAO,CAAC,CAAC;QAC/B,OAAO,MAAM,IAAI,eAAO,CAAC,SAAS,CAAC,CAAC,aAAa,CAAC;YAChD,MAAM,EAAE;gBACN,OAAO,EAAG,OAA+B,EAAE,QAAQ,EAAE,MAAM;aAC5D;YACD,OAAO,EAAE;gBACP,QAAQ,EAAE,EAAE;aACb;SACF,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;KACnB;SAAM;QACL,OAAO,MAAM,aAAK,CAAC,aAAa,CAAC;YAC/B,OAAO,EAAE;gBACP,QAAQ,EAAE,EAAE;aACb;YACD,MAAM,EAAE;gBACN,OAAO,EAAE,OAAkB;gBAC3B,QAAQ;gBACR,MAAM;aACP;SACF,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;KACnB;AACH,CAAC,CAAC;AAEK,MAAM,gBAAgB,GAAG,KAAK,EAAE,OAAgB,EACrD,QAAoB,EAAE,MAAmB,EAAE,GAAqB,EAAE,QAAiB,EAA6B,EAAE;IAClH,IAAI,wBAAwB,CAAC,OAAO,CAAC,EAAE;QACrC,MAAM,UAAU,GAAG,YAAG,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,IAAA,2BAAa,EAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAClD,MAAM,SAAS,GAAG,IAAA,0BAAY,EAAC;YAC7B,GAAG,UAAU;YACb,MAAM,EAAN,gBAAM;SACP,EAAE,kCAAiB,EAAE,OAAO,CAAC,CAAC;QAC/B,OAAO,MAAM,IAAI,eAAO,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC;YAC5C,MAAM,EAAE;gBACN,OAAO,EAAG,OAA+B,EAAE,QAAQ,EAAE,MAAM;aAC5D;YACD,OAAO,EAAE;gBACP,QAAQ,EAAE,EAAE;aACb;SACF,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;KACnB;SAAM;QACL,OAAO,MAAM,aAAK,CAAC,SAAS,CAAC;YAC3B,OAAO,EAAE;gBACP,QAAQ,EAAE,EAAE;aACb;YACD,MAAM,EAAE;gBACN,OAAO;gBACP,QAAQ;gBACR,MAAM;aACP;SACF,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;KACnB;AACH,CAAC,CAAC;AA7BW,QAAA,gBAAgB,oBA6B3B;AAEF;;;;;;;;;;;;;;;;;GAiBG;AACI,MAAM,aAAa,GAAG,KAAK,EAAE,OAA6B,EAAE,QAAoB,EACrF,MAAmB,EAAE,GAAqB,EAAE,SAAqB,EACjE,QAAkC,EAAE,QAAQ,GAAG,IAAI,EAAmD,EAAE;IACxG,yDAAyD;IACzD,IAAI,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE;QACtB,OAAO,GAAG,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC;KACrC;IACD,IAAI,QAAQ,GAAG,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACpC,IAAI,KAAK,CAAC;IACV,IAAI,OAAO,IAAI,OAAO,CAAC,KAAK,EAAE;QAC5B,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;KACvB;IACD,4BAA4B;IAC5B,IAAI,KAAK,EAAE;QACT,MAAM,gBAAgB,GAAG,YAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QAC1D,IAAI,gBAAgB,KAAK,KAAK,EAAE;YAC9B,OAAO,EAAE,QAAQ,EAAE,kCAAiB,CAAC,MAAM,EAAE,gBAAgB,EAAE,IAAA,+BAAuB,EAAC,GAAG,EAAE,SAAS,CAAC,EAAE,CAAC;SAC1G;KACF;IACD,IAAI,YAAY,GAAG,YAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;IACpD,IAAI,aAAa,GAAG,YAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;IACrD,iFAAiF;IACjF,8BAA8B;IAC9B,IAAI,YAAY,KAAK,SAAS,EAAE;QAC9B,YAAY,GAAG,IAAI,CAAC;KACrB;IACD,IAAI,aAAa,KAAK,SAAS,EAAE;QAC/B,aAAa,GAAG,IAAI,CAAC;KACtB;IACD,+BAA+B;IAC/B,IAAI,CAAC,YAAY,EAAE;QACjB,OAAO,EAAE,QAAQ,EAAE,kCAAiB,CAAC,MAAM,EAAE,gBAAgB,EAAE,IAAA,+BAAuB,EAAC,GAAG,EAAE,SAAS,CAAC,EAAE,CAAC;KAC1G;IAED,IAAI,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE;QACtB,OAAO,EAAE,QAAQ,EAAE,kCAAiB,CAAC,IAAI,EAAE,gBAAgB,EAAE,IAAA,+BAAuB,EAAC,eAAM,CAAC,kBAAkB,CAAC,IAAI,EAAE,eAAM,CAAC,kBAAkB,CAAC,OAAO,CAAC,EAAE,CAAC;KAC3J;IAED,IAAI,SAAS,CAAC;IACd,IAAI,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC;IAChC,0BAA0B;IAC1B,IAAI,OAAO,IAAI,OAAO,CAAC,EAAE,EAAE;QACzB,SAAS,GAAG,OAAO,CAAC,EAAE,CAAC;KACxB;IAED,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE;QACxB,QAAQ,GAAG,CAAC,QAAQ,CAAC,CAAC;KACvB;IAED,IAAI,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE;QACvB,MAAM,GAAG,GAAG,+CAA+C,SAAS,IAAI;YACtE,YAAY,QAAQ,YAAY,MAAM,kBAAkB,WAAW,kCAAkC,CAAC;QACxG,MAAM,OAAO,GAAG,gBAAgB,CAAC;QACjC,gBAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACpB,gBAAM,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;QACxC,OAAO,EAAE,QAAQ,EAAE,kCAAiB,CAAC,IAAI,EAAE,gBAAgB,EAAE,IAAA,+BAAuB,EAAC,MAAM,CAAC,eAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;KACrI;IAED,qCAAqC;IACrC,IAAI,CAAC,SAAS,EAAE;QACd,SAAS,GAAG,sBAAS,CAAC,SAAS,CAAC;KACjC;IAED,+BAA+B;IAC/B,IAAI,CAAC,QAAQ,EAAE;QACb,QAAQ,GAAG,UAAU,CAAC;KACvB;IAED,gBAAgB;IAChB,IAAI,GAAG,CAAC,SAAS,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE;QAC9C,GAAG,CAAC,SAAS,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;KACjC;IAED,0BAA0B;IAC1B,IAAI,SAAS,KAAK,sBAAS,CAAC,aAAa,EAAE;QACzC,uCAAuC;QACvC,IAAI,iBAAsC,CAAC;QAC3C,IAAI;YACF,uDAAuD;YACvD,wDAAwD;YACxD,iBAAiB,GAAG,MAAM,oBAAoB,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;SAC3F;QAAC,OAAO,GAAG,EAAE;YACZ,gBAAM,CAAC,KAAK,CAAC,uCAAuC,EAAG,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC;YACnH,OAAO,EAAE,QAAQ,EAAE,kCAAiB,CAAC,IAAI,EAAE,gBAAgB,EAAE,IAAA,+BAAuB,EAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;SAC/G;QAED,oCAAoC;QACpC,IAAI,CAAC,CAAC,iBAAiB,IAAI,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC,IAAI,aAAa,EAAE;YACrF,MAAM,GAAG,GAAG,+CAA+C,SAAS,IAAI;gBACtE,YAAY,QAAQ,YAAY,MAAM,kBAAkB,WAAW,kCAAkC,CAAC;YACxG,MAAM,OAAO,GAAG,wCAAwC,CAAC;YACzD,gBAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACpB,gBAAM,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;YACxC,OAAO,EAAE,QAAQ,EAAE,kCAAiB,CAAC,IAAI,EAAE,gBAAgB,EAAE,IAAA,+BAAuB,EAAC,MAAM,CAAC,eAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;SACrI;QAED,IAAI,CAAC,CAAC,iBAAiB,IAAI,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,aAAa,EAAE;YACtF,gBAAM,CAAC,OAAO,CAAC,kEAAkE;gBAC/E,GAAG,SAAS,cAAc,QAAQ,YAAY,MAAM,kBAAkB,WAAW,GAAG;gBACpF,uEAAuE;gBACvE,8CAA8C,CAAC,CAAC;SACnD;QAED,sFAAsF;QACtF,MAAM,eAAe,GAAG,MAAM,IAAA,+BAAuB,EAAC,QAAQ,EAAE,iBAAiB,EAC/E,GAAG,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,aAAa,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAEpF,IAAK,eAAoC,CAAC,QAAQ,EAAE;YAClD,OAAO,eAAmC,CAAC;SAC5C;QAED,iBAAiB,CAAC,OAAO,GAAI,eAAqC,CAAC,iBAAiB,CAAC;QACrF,iBAAiB,CAAC,iBAAiB,GAAI,eAAqC,CAAC,eAAe,CAAC;QAC7F,iBAAiB,CAAC,QAAQ,GAAG,kCAAiB,CAAC,MAAM,CAAC,CAAC,oEAAoE;QAC3H,iBAAiB,CAAC,gBAAgB,GAAG,IAAA,+BAAuB,EAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QAC7E,OAAO,iBAAiB,CAAC;KAC1B;IAED,IAAI,YAAY,GAAG,EAAE,CAAC;IACtB,QAAQ,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,EAAE;QAC/B,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IACH,IAAI,cAAc,CAAC;IACnB,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE;QAC7B,cAAc,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;KAClC;SAAM;QACL,cAAc,GAAG,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;KAC/C;IACD,eAAe;IACf,IAAI,gBAAgB,GAAqB,EAAE,QAAQ,EAAE,kCAAiB,CAAC,IAAI,EAAE,gBAAgB,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,EAAE,CAAC;IAC1H,sBAAsB;IACtB,IAAI,SAAS,KAAK,sBAAS,CAAC,SAAS,EAAE;QACrC,gBAAgB;QAChB,IAAI;YACF,gBAAgB,GAAG,MAAM,IAAA,wBAAgB,EAAC,QAAmB,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;SACjG;QAAC,OAAO,GAAG,EAAE;YACZ,gBAAM,CAAC,KAAK,CAAC,mCAAmC,EAAG,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC;YAC/G,OAAO,EAAE,QAAQ,EAAE,kCAAiB,CAAC,IAAI,EAAE,gBAAgB,EAAE,IAAA,+BAAuB,EAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;SAC/G;QAED,IAAI,gBAAgB,IAAI,gBAAgB,CAAC,QAAQ,IAAI,kCAAiB,CAAC,MAAM,IAAI,aAAa,EAAE;YAC9F,IAAI,OAAO,GAAG,EAAE,CAAC;YACjB,IAAI,gBAAgB,CAAC,QAAQ,KAAK,kCAAiB,CAAC,aAAa,EAAE;gBACjE,OAAO,GAAG,qCAAqC,CAAC;aACjD;iBAAM,IAAI,gBAAgB,CAAC,QAAQ,KAAK,kCAAiB,CAAC,IAAI,EAAE;gBAC/D,OAAO,GAAG,WAAW,SAAS,mDAAmD,WAAW,EAAE,CAAC;aAChG;YACD,MAAM,GAAG,GAAG,+CAA+C,SAAS,IAAI;gBACtE,YAAY,cAAc,YAAY,MAAM,kBAAkB,WAAW,sBAAsB,kCAAiB,CAAC,gBAAgB,CAAC,QAAQ,CAAC,EAAE,CAAC;YAChJ,gBAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACpB,gBAAM,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;YACxC,OAAO,EAAE,QAAQ,EAAE,kCAAiB,CAAC,IAAI,EAAE,gBAAgB,EAAE,IAAA,+BAAuB,EAAC,MAAM,CAAC,eAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;SACrI;KACF;IACD,IAAI,CAAC,aAAa,IAAI,gBAAgB,IAAI,gBAAgB,CAAC,QAAQ,IAAI,kCAAiB,CAAC,MAAM,EAAE;QAC/F,IAAI,OAAO,GAAG,EAAE,CAAC;QACjB,IAAI,gBAAgB,CAAC,QAAQ,KAAK,kCAAiB,CAAC,aAAa,EAAE;YACjE,OAAO,GAAG,qCAAqC,CAAC;SACjD;aAAM,IAAI,gBAAgB,CAAC,QAAQ,KAAK,kCAAiB,CAAC,IAAI,EAAE;YAC/D,OAAO,GAAG,WAAW,SAAS,mDAAmD,WAAW,EAAE,CAAC;SAChG;QACD,gBAAM,CAAC,OAAO,CAAC,+CAA+C,SAAS,IAAI;YACzE,YAAY,cAAc,YAAY,MAAM,kBAAkB,WAAW,sBAAsB,kCAAiB,CAAC,gBAAgB,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QACjJ,gBAAM,CAAC,OAAO,CAAC,GAAG,OAAO,+DAA+D,CAAC,CAAC;QAC1F,gBAAgB,CAAC,QAAQ,GAAG,kCAAiB,CAAC,MAAM,CAAC;KACtD;IACD,OAAO,gBAAgB,CAAC;AAC1B,CAAC,CAAC;AAvKW,QAAA,aAAa,iBAuKxB;AAEF;;;;;;GAMG;AACI,MAAM,SAAS,GAAG,KAAK,EAAE,OAAgB,EAAE,KAAe,EAA6B,EAAE;IAC9F,IAAI,QAA0B,CAAC;IAC/B,IAAI;QACF,MAAM,iBAAiB,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC7D,QAAQ,GAAG;YACT,QAAQ,EAAE,iBAAiB,CAAC,QAAQ;YACpC,UAAU,EAAE,IAAA,0CAAkC,EAAC,iBAAiB,CAAC,UAAU,CAAC;YAC5E,gBAAgB,EAAE,iBAAiB,CAAC,gBAAgB;SACrD,CAAC;KACH;IAAC,OAAO,GAAG,EAAE;QACZ,gBAAM,CAAC,KAAK,CAAC,yCAAyC,EAAG,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC;QACrH,OAAO,EAAE,QAAQ,EAAE,kCAAiB,CAAC,IAAI,EAAE,gBAAgB,EAAE,IAAA,+BAAuB,EAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;KAC/G;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC,CAAC;AAfW,QAAA,SAAS,aAepB;AAEF;;;;;;GAMG;AACI,MAAM,aAAa,GAAG,KAAK,EAAE,OAAgB,EAAE,KAAe,EAAgC,EAAE;IACrG,IAAI,QAA6B,CAAC;IAClC,IAAI;QACF,MAAM,qBAAqB,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QACrE,QAAQ,GAAG;YACT,GAAG,qBAAqB;YACxB,UAAU,EAAE,IAAA,0CAAkC,EAAC,qBAAqB,CAAC,UAAU,CAAC;SAC1E,CAAC,CAAC,iBAAiB;KAC5B;IAAC,OAAO,GAAG,EAAE;QACZ,gBAAM,CAAC,KAAK,CAAC,6CAA6C,EAAG,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC;QACzH,OAAO,EAAE,QAAQ,EAAE,kCAAiB,CAAC,IAAI,EAAE,WAAW,EAAE,EAAE,EAAE,gBAAgB,EAAE,IAAA,+BAAuB,EAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;KAChI;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC,CAAC;AAdW,QAAA,aAAa,iBAcxB"}
|
package/lib/index.js
CHANGED
|
@@ -1,7 +1,11 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
3
|
if (k2 === undefined) k2 = k;
|
|
4
|
-
Object.
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
5
9
|
}) : (function(o, m, k, k2) {
|
|
6
10
|
if (k2 === undefined) k2 = k;
|
|
7
11
|
o[k2] = m[k];
|
package/lib/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,iDAA+B;AAC/B,8CAA4B;AAC5B,2CAAyB;AACzB,mDAAiC;AACjC,mDAAiC;AACjC,8CAA4B;AAC5B,0CAAwB;AACxB,+CAA6B"}
|
package/lib/utils.d.ts
CHANGED
|
@@ -1,5 +1,7 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { UserScope, PolicySetRQ, PolicySetRQResponse, ResourceFilterMap, CustomQueryArgs, DecisionResponse, Resource, AuthZAction, ResolvedSubject, Obligation } from './acs/interfaces';
|
|
2
2
|
import { QueryArguments, UserQueryArguments } from './acs/resolver';
|
|
3
|
+
import { RoleAssociation, Subject, DeepPartial } from '@restorecommerce/rc-grpc-clients/dist/generated-server/io/restorecommerce/auth';
|
|
4
|
+
import { Attribute } from '@restorecommerce/rc-grpc-clients/dist/generated-server/io/restorecommerce/attribute';
|
|
3
5
|
export declare const reduceRoleAssociations: (roleAssociations: RoleAssociation[], scopeID: string) => Promise<UserScope>;
|
|
4
6
|
export declare const handleError: (err: string | Error | any) => any;
|
|
5
7
|
export declare const buildFilterPermissions: (policySet: PolicySetRQ, subject: ResolvedSubject, reqResources: any, database: string) => Promise<QueryArguments | UserQueryArguments>;
|
|
@@ -14,7 +16,7 @@ export declare const generateOperationStatus: (code?: number, message?: string)
|
|
|
14
16
|
* @param ruleAttributes
|
|
15
17
|
* @param requestAttributes
|
|
16
18
|
*/
|
|
17
|
-
export declare const attributesMatch: (ruleAttributes: Attribute[], requestAttributes: Attribute[]) => boolean;
|
|
19
|
+
export declare const attributesMatch: (ruleAttributes: DeepPartial<Attribute>[], requestAttributes: DeepPartial<Attribute>[]) => boolean;
|
|
18
20
|
export interface FilterMapResponse {
|
|
19
21
|
resourceFilterMap: ResourceFilterMap[];
|
|
20
22
|
customQueryArgs: CustomQueryArgs[];
|
|
@@ -36,7 +38,7 @@ export interface FilterMapResponse {
|
|
|
36
38
|
* if this param is missing defaults to `arangoDB`
|
|
37
39
|
*
|
|
38
40
|
*/
|
|
39
|
-
export declare const createResourceFilterMap: (resource: Resource[], policySetResponse: PolicySetRQResponse, resources: any, action: AuthZAction, subject: Subject
|
|
41
|
+
export declare const createResourceFilterMap: (resource: Resource[], policySetResponse: PolicySetRQResponse, resources: any, action: AuthZAction, subject: DeepPartial<Subject>, subjectID: string, authzEnforced: boolean, targetScope: string, database: 'arangoDB' | 'postgres') => Promise<FilterMapResponse | DecisionResponse>;
|
|
40
42
|
/**
|
|
41
43
|
* converts the Obligation Attribute[] to Obligation[] object
|
|
42
44
|
*
|
|
@@ -45,4 +47,4 @@ export declare const createResourceFilterMap: (resource: Resource[], policySetRe
|
|
|
45
47
|
* to property[].
|
|
46
48
|
*
|
|
47
49
|
*/
|
|
48
|
-
export declare const mapResourceURNObligationProperties: (obligation:
|
|
50
|
+
export declare const mapResourceURNObligationProperties: (obligation: Attribute[]) => Obligation[];
|