@rpcbase/server 0.288.0 → 0.289.0

package/boot/shared.js

@@ -4,7 +4,7 @@ require("./setup_env")
 require("../src/helpers/expect_ext")
 
 const mongoose = require("../mongoose")
-require("@rpcbase/access-control")(mongoose)
+require("../access-control")(mongoose)
 
 const {database, firebase} = require("../")
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rpcbase/server",
-  "version": "0.288.0",
+  "version": "0.289.0",
   "license": "SSPL-1.0",
   "main": "./index.js",
   "bin": {

package/src/access-control/access-control.schema.json

@@ -0,0 +1,21 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.rpcbase.com/schemas/aceess-control.schema.json",
+  "title": "access-control",
+  "type": "object",
+  "properties": {
+    "prop1": {
+      "type": "string",
+      "description": "The person's first name."
+    },
+    "lastName": {
+      "type": "string",
+      "description": "The person's last name."
+    },
+    "age": {
+      "description": "Age in years which must be equal to or greater than zero.",
+      "type": "integer",
+      "minimum": 0
+    }
+  }
+}

package/src/access-control/check_apply_permissions.js

@@ -0,0 +1,92 @@
+/* @flow */
+const _get = require("lodash/get")
+const colors = require("picocolors")
+
+const user_types = ["owner", "user", "any"]
+const perm_operations = ["create", "read", "update", "delete"]
+
+
+// Owner
+// the creator of the document, or an user_id that is in the "owners" field
+
+// User
+// any authenticated user that belongs in this tenant
+
+// Any
+// most relaxed permission, any client can access the resource
+
+
+// given ac config, operation and document / query,
+// check if the user has the permission to run this op
+// if the user doesn't have permission, the system should throw an error
+const check_apply_permissions = (ac_config, model_name, operation, user_id, item) => {
+  const rule_target = _get(ac_config, `${model_name}.${operation}`)
+  // console.log("rule target", rule_target)
+
+  // console.log("check_apply_permissions", `'${model_name}:${operation}:${rule_target}'`)
+
+  if (!rule_target) {
+    throw new Error(`undefined rule_target for '${model_name}:${operation}'`)
+  }
+
+  if (!user_types.includes(rule_target)) {
+    throw new Error(`expected rule_target '${model_name}:${operation}' to be in '${JSON.stringify(user_types)}', but got '${rule_target}'`)
+  }
+
+  // Create
+  if (operation === "create") {
+    if (["owner", "user"].includes(rule_target)) {
+      if (!user_id) return new Error("create expected authenticated user_id")
+    } else {
+      return false
+    }
+  }
+  // Read
+  else if (operation === "read") {
+    const query = item
+    if (rule_target === "owner") {
+      if (!user_id) throw new Error("read::owner invalid user_id")
+
+      const conditions = query.getQuery()
+
+      if (conditions._owners) {
+        console.log(colors.yellow("Warning!"), model_name, "ACL for read is owner, but client is sending _owners in query, the field will be overwritten")
+      }
+      // TODO: implement dynamic ACL based on what the application allows the user to read
+      query.setQuery({
+        ...conditions,
+        _owners: {$in: [user_id]}
+      })
+
+    }
+  }
+  // Update
+  else if (operation === "update") {
+    const doc = item
+    if (rule_target === "owner") {
+      if (!doc._owners.includes(user_id)) {
+        // TODO: add debug logging
+        return new Error("expected user_id to be in owners to update document")
+      }
+    } else {
+      throw new Error(`unknown rule target '${rule_target}' for operation ${model_name}::update`)
+    }
+  }
+  // Delete
+  else if (operation === "delete") {
+    const doc = item
+    if (rule_target === "owner") {
+      if (!doc._owners.includes(user_id)) {
+        // TODO: add debug logging
+        return new Error("expected user_id to be in owners to delete document")
+      }
+    } else {
+      throw new Error(`unknown rule target '${rule_target}' for operation ${model_name}::delete`)
+    }
+  }
+
+  return false
+}
+
+
+module.exports = check_apply_permissions

package/src/access-control/default-access-control.json

@@ -0,0 +1,14 @@
+{
+  "Invite": {
+    "create": "any",
+    "read": "owner",
+    "update": "owner",
+    "delete": "owner"
+  },
+  "User": {
+    "create": "any",
+    "read": "owner",
+    "update": "owner",
+    "delete": "owner"
+  }
+}

package/src/access-control/get_added_fields.js

@@ -0,0 +1,23 @@
+/* @flow */
+
+const get_added_fields = () => {
+
+  return {
+    _owners: {
+      type: Array,
+      of: String,
+      index: true,
+      required: true,
+    },
+    _viewers: [String],
+    _editors: [String],
+    _created_by: String,
+    _created_at: {
+      type: Date
+    },
+  }
+
+}
+
+
+module.exports = get_added_fields

package/src/access-control/get_config.js

@@ -0,0 +1,34 @@
+/* @flow */
+const path = require("path")
+const fs = require("fs")
+
+const default_config = require("./default-access-control.json")
+
+
+const validate_config = (models_dir, config) => {
+  // for each key in config, check if model exists
+  // check if config parameters also exist
+  console.log("access-control:NYI: validate config", models_dir)
+}
+
+
+// this assumes the project is ran from the server/server/ directory
+const get_config = (custom_path) => {
+  const config_path = custom_path || path.join(process.cwd(), "./src/models/access-control.json")
+
+  if (!fs.existsSync(config_path)) {
+    console.log("config path does not exist", config_path)
+  }
+
+  const conf_str = fs.readFileSync(config_path, "utf8")
+  const config = JSON.parse(conf_str)
+
+  const models_dir = path.dirname(config_path)
+  validate_config(models_dir, config)
+
+  return Object.assign(config, default_config)
+}
+
+
+
+module.exports = get_config

package/src/access-control/hooks/doc_pre_create.js

@@ -0,0 +1,26 @@
+/* @flow */
+//
+// const has_permission = require("../has_permission")
+//
+// const delay = (time) => new Promise((resolve) => setTimeout(resolve, time))
+// // await delay(2000)
+//
+// module.exports = (ac_config, schema) => async function(next) {
+//   const model_name = this.model.modelName
+//   const operation = "delete"
+//
+//   if (this.op !== "findOneAndDelete") {
+//     throw new Error(`in pre_delete unknown operation: ${this.op}`)
+//   }
+//
+//   const filter = this.getFilter()
+//   const doc = await this.model.findOne(filter)
+//
+//   console.log("DELETE GOT DOC", doc)
+//   // console.log("THIS", this)
+//   // console.log("THIS filter", this.getFilter())
+//   // console.log("SCHEMA DEL", schema)
+//   // TODO: find a way to check if user can delete this document without reading it
+//   // console.log("delete got ac config", ac_config)
+//   next()
+// }

package/src/access-control/hooks/query_pre_delete.js

@@ -0,0 +1,29 @@
+/* @flow */
+
+const check_apply_permissions = require("../check_apply_permissions")
+
+// const delay = (time) => new Promise((resolve) => setTimeout(resolve, time))
+// await delay(2000)
+
+module.exports = (ac_config, schema) => async function(next) {
+  const model_name = this.model.modelName
+  const operation = "delete"
+
+  if (this.op !== "findOneAndDelete") {
+    throw new Error(`in pre_delete unknown operation: ${this.op}`)
+  }
+
+  const user_id = this.options.ctx.req.session.user_id
+
+  const filter = this.getFilter()
+  const doc = await this.model.findOne(filter)
+
+  // check if user has permission to delete
+  const err = check_apply_permissions(ac_config, model_name, "delete", user_id, doc)
+  if (err) {
+    console.error(err)
+    return
+  }
+
+  next()
+}

package/src/access-control/index.js

@@ -0,0 +1,9 @@
+/* @flow */
+const mongoose_plugin = require("./mongoose_plugin")
+const get_config = require("./get_config")
+
+module.exports = (mongoose) => {
+  const config = get_config()
+  const plugin = mongoose_plugin(config)
+  mongoose.plugin(plugin)
+}

package/src/access-control/mongoose_plugin.js

@@ -0,0 +1,131 @@
+/* @flow */
+const debug = require("debug")
+
+const get_added_fields = require("./get_added_fields")
+const check_apply_permissions = require("./check_apply_permissions")
+
+// hooks
+const query_pre_delete = require("./hooks/query_pre_delete")
+
+const log = debug("rb")
+
+
+const QUERY = {document: false, query: true}
+const DOC = {document: true, query: false}
+
+const get_query_middleware = (op) => (ac_config, schema) => function(next, save_options) {
+
+  // TODO: this is wrong (AND BREAKS ACL)
+  // when no save options, it's a sub schema, we don't want acl on those
+  // if (!save_options) {
+  //   next()
+  //   console.log("has returned")
+  //   return
+  // }
+
+  const model_name = this.model.modelName
+  if (!model_name) throw new Error("cannot find model_name for query")
+
+  const options = this.getOptions()
+  const user_id = options.ctx?.req?.session?.user_id
+
+  // client requests should always be authenticated
+  if (options.is_client && !user_id) {
+    throw new Error("expected user_id in client request")
+  }
+  // skip if no ctx::user_id (=> is from admin)
+  else if (!user_id) {
+    log("mongoose_plugin: NO USER ID, skipping")
+    return next()
+  }
+
+  const err = check_apply_permissions(ac_config, model_name, "read", user_id, this)
+  if (err) {
+    console.warn(err)
+    return
+  }
+
+  log("access-control will continue")
+  next()
+}
+
+
+// https://mongoosejs.com/docs/middleware.html#types-of-middleware
+const mongoose_plugin = (ac_config) => function rb_acl_plugin(schema, options) {
+  schema.options.strict = false
+
+  // TODO:
+  // DANGER: strictQuery to true silently DROPS filter params
+  // which can be a critical security risk
+  schema.options.strictQuery = false
+
+  if (!schema.options.isSubSchema) {
+    // Add Access Control fields to top level schemas
+    schema.add(get_added_fields())
+  }
+
+  // Queries
+  schema.pre("find", QUERY, get_query_middleware("find")(ac_config, schema))
+  schema.pre("findOne", QUERY, get_query_middleware("findOne")(ac_config, schema))
+  // TODO: add countDocuments, estimatedDocumentCount
+  // aggregate
+
+  schema.pre("findOneAndDelete", QUERY, query_pre_delete(ac_config, schema))
+
+  // Documents create and save
+  schema.pre("save", DOC, function(next, options) {
+    if (this.$isSubdocument) {
+      return next()
+    }
+
+    const model_name = this.constructor.modelName
+    if (!model_name) {
+      throw new Error("doc pre save model_name is undefined")
+    }
+
+    const {ctx} = options
+
+    // when no context, assume admin mode and authorize op
+    if (!ctx) {
+      this._created_at = new Date
+      next()
+    }
+
+    const user_id = ctx.req.session?.user_id
+
+    const doc = this
+    // Create
+    // TODO: apply create fields
+    if (this.isNew) {
+      const err = check_apply_permissions(ac_config, model_name, "create", user_id, doc)
+      if (err) {
+        console.warn(err)
+        return
+      }
+      if (!this._owners.includes(user_id)) {
+        this._owners.push(user_id)
+      }
+      this._created_by = user_id
+      this._created_at = new Date
+      next()
+    }
+    // Update
+    else {
+      const err = check_apply_permissions(ac_config, model_name, "update", user_id, doc)
+      if (err) {
+        console.warn(err)
+        return
+      }
+      // TODO: apply update fields
+      console.log("warning, update check permission not verified")
+      next()
+    }
+  })
+
+  schema.pre("remove", DOC, function(next) {
+    console.log("schema pre REMOVE", this)
+    next()
+  })
+}
+
+module.exports = mongoose_plugin