@rpcbase/server 0.370.0 → 0.372.0-aclpolicies.0

package/mongoose/plugins/object_id_plugin.ts

@@ -1,6 +1,7 @@
-import mongoose, { Schema } from "../"
+import mongoose, {Schema} from "../"
+
+import {get_object_id} from "../../get_object_id"
 
-import { get_object_id } from "../../get_object_id"
 
 export const object_id_plugin = (schema: Schema) => {
   if (schema.options._id === false) {
@@ -16,11 +17,12 @@ export const object_id_plugin = (schema: Schema) => {
     _id: {
       type: mongoose.Schema.Types.ObjectId,
       default: () => get_object_id(),
+      immutable: true,
     },
   })
 
   // Optional: Ensure the _id field is always set
-  schema.pre("save", function (next) {
+  schema.pre("save", function(next) {
     if (!this._id) {
       this._id = get_object_id()
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rpcbase/server",
-  "version": "0.370.0",
+  "version": "0.372.0-aclpolicies.0",
   "license": "SSPL-1.0",
   "main": "./index.js",
   "scripts": {

package/src/access-control/{check_apply_permissions.js → apply_policies.js}

@@ -2,10 +2,16 @@
 const _get = require("lodash/get")
 const colors = require("picocolors")
 
+const get_policies = require("./get_policies")
+
+
 const user_types = ["owner", "user", "any"]
 const perm_operations = ["create", "read", "update", "delete"]
 
 
+// TODO: add LRU cache for policies
+
+
 // Owner
 // the creator of the document, or an user_id that is in the "owners" field
 
@@ -19,11 +25,16 @@ const perm_operations = ["create", "read", "update", "delete"]
 // given ac config, operation and document / query,
 // check if the user has the permission to run this op
 // if the user doesn't have permission, the system should throw an error
-const check_apply_permissions = (ac_config, model_name, operation, user_id, item) => {
-  const rule_target = _get(ac_config, `${model_name}.${operation}`)
+const apply_policies = async({collection_name, model_name, operation, fields, user_id, doc}) => {
+  // TODO: fix rm policy here
+  // const rule_target = _get(ac_config, `${model_name}.${operation}`)
+  const rule_target = ""
   // console.log("rule target", rule_target)
 
-  // console.log("check_apply_permissions", `'${model_name}:${operation}:${rule_target}'`)
+  const policies = await get_policies({collection_name, model_name, operation, fields, user_id, doc})
+  console.log("MODEL APPLY POLICIES", {collection_name, model_name, operation, fields, user_id, doc})
+  return
+  // console.log("apply_policies", `'${model_name}:${operation}:${rule_target}'`)
 
   if (!rule_target) {
     throw new Error(`undefined rule_target for '${model_name}:${operation}'`)
@@ -43,11 +54,10 @@ const check_apply_permissions = (ac_config, model_name, operation, user_id, item
   }
   // Read
   else if (operation === "read") {
-    const query = item
     if (rule_target === "owner") {
       if (!user_id) throw new Error("read::owner invalid user_id")
 
-      const conditions = query.getQuery()
+      const conditions = doc.getQuery()
 
       // TMP: warn if user supplied _owners, which is currently overwritten for ACL
       if (conditions._owners) {
@@ -56,8 +66,7 @@ const check_apply_permissions = (ac_config, model_name, operation, user_id, item
         }
       }
 
-      // TODO: implement dynamic ACL based on what the application allows the user to read
-      query.setQuery({
+      doc.setQuery({
         ...conditions,
         _owners: {$in: [user_id]}
       })
@@ -66,7 +75,6 @@ const check_apply_permissions = (ac_config, model_name, operation, user_id, item
   }
   // Update
   else if (operation === "update") {
-    const doc = item
     if (rule_target === "owner") {
       if (!doc._owners?.includes(user_id)) {
         console.log("MODEL:", model_name)
@@ -80,7 +88,6 @@ const check_apply_permissions = (ac_config, model_name, operation, user_id, item
   }
   // Delete
   else if (operation === "delete") {
-    const doc = item
     if (rule_target === "owner") {
       if (!doc._owners.includes(user_id)) {
         // TODO: add debug logging
@@ -95,4 +102,4 @@ const check_apply_permissions = (ac_config, model_name, operation, user_id, item
 }
 
 
-module.exports = check_apply_permissions
+module.exports = apply_policies

package/src/access-control/get_policies.js

@@ -0,0 +1,29 @@
+const Policy = require("../models/Policy")
+
+const DEFAULT_POLICY = {
+  "create": "user",
+  "read": "owner",
+  "update": "owner",
+  "delete": "owner",
+}
+
+const get_policies = async({collection_name, model_name, operation, user_id, doc}) => {
+
+  const policies = await Policy.find({
+    $or: [
+      { collection_name, operations: { $in: [operation] }},
+      { doc_id: doc._id, operations: { $in: [operation] }},
+      // TODO: add field level operations
+    ]
+  })
+
+  if (!policies) {
+    return [DEFAULT_POLICY]
+  }
+
+  console.log("POLICIES", policies)
+
+  return policies
+}
+
+module.exports = get_policies

package/src/access-control/hooks/doc_pre_create.js

@@ -5,7 +5,7 @@
 // const delay = (time) => new Promise((resolve) => setTimeout(resolve, time))
 // // await delay(2000)
 //
-// module.exports = (ac_config, schema) => async function(next) {
+// module.exports = (schema) => async function(next) {
 //   const model_name = this.model.modelName
 //   const operation = "delete"
 //

package/src/access-control/hooks/query_pre_delete.js

@@ -1,12 +1,13 @@
 /* @flow */
+const apply_policies = require("../apply_policies")
 
-const check_apply_permissions = require("../check_apply_permissions")
 
-// const delay = (time) => new Promise((resolve) => setTimeout(resolve, time))
-// await delay(2000)
-
-module.exports = (ac_config, schema) => async function(next) {
+module.exports = (schema) => async function(next) {
   const model_name = this.model.modelName
+  const collection_name = this.model.collection.name
+
+  console.log("DELETE PLUGIN GET OPTIONS", this.getOptions())
+
   const operation = "delete"
 
   if (this.op !== "findOneAndDelete") {
@@ -19,7 +20,7 @@ module.exports = (ac_config, schema) => async function(next) {
   const doc = await this.model.findOne(filter)
 
   // check if user has permission to delete
-  const err = check_apply_permissions(ac_config, model_name, "delete", user_id, doc)
+  const err = await apply_policies({collection_name, model_name, operation, user_id, doc})
   if (err) {
     console.error(err)
     return

package/src/access-control/index.js

@@ -1,9 +1,6 @@
 /* @flow */
 const mongoose_plugin = require("./mongoose_plugin")
-const get_config = require("./get_config")
 
 module.exports = (mongoose) => {
-  const config = get_config()
-  const plugin = mongoose_plugin(config)
-  mongoose.plugin(plugin)
+  mongoose.plugin(mongoose_plugin)
 }

package/src/access-control/mongoose_plugin.js

@@ -1,19 +1,19 @@
-/* @flow */
+const assert = require("assert")
 const debug = require("debug")
 
 const get_added_fields = require("./get_added_fields")
-const check_apply_permissions = require("./check_apply_permissions")
+const apply_policies = require("./apply_policies")
 
 // hooks
 const query_pre_delete = require("./hooks/query_pre_delete")
 
-const log = debug("rb")
 
+const log = debug("rb:acl")
 
 const QUERY = {document: false, query: true}
-const DOC = {document: true, query: false}
+const DOC_OPTIONS = {document: true, query: false}
 
-const get_query_middleware = (op) => (ac_config, schema) => function(next, save_options) {
+const get_query_middleware = (op) => (schema) => async function(next, save_options) {
 
   // TODO: this is wrong (AND BREAKS ACL)
   // when no save options, it's a sub schema, we don't want acl on those
@@ -23,13 +23,18 @@ const get_query_middleware = (op) => (ac_config, schema) => function(next, save_
   //   return
   // }
 
+  const collection_name = this.model.collection.name
   const model_name = this.model.modelName
-  if (!model_name) throw new Error("cannot find model_name for query")
+
+  assert(model_name, "cannot find model_name for query")
+  assert(collection_name, "cannot find collection_name for query")
 
   const options = this.getOptions()
   const user_id = options.ctx?.req?.session?.user_id
 
-  // client requests should always be authenticated
+  // console
+
+  // client requests should always be authenticated?
   if (options.is_client && !user_id) {
     throw new Error("expected user_id in client request")
   }
@@ -39,10 +44,10 @@ const get_query_middleware = (op) => (ac_config, schema) => function(next, save_
     return next()
   }
 
-  const err = check_apply_permissions(ac_config, model_name, "read", user_id, this)
-  if (err) {
-    console.warn(err)
-    return
+  const errors = await apply_policies({collection_name, model_name, operation: "read", user_id, doc: this})
+
+  if (errors?.length > 0) {
+    throw new AggregateError(errors, "access-control policies error")
   }
 
   log("access-control will continue")
@@ -51,7 +56,7 @@ const get_query_middleware = (op) => (ac_config, schema) => function(next, save_
 
 
 // https://mongoosejs.com/docs/middleware.html#types-of-middleware
-const mongoose_plugin = (ac_config) => function rb_acl_plugin(schema, options) {
+const mongoose_plugin = async function(schema, options) {
   // TODO: should strict be true here??
   schema.options.strict = false
   // TODO:
@@ -59,31 +64,32 @@ const mongoose_plugin = (ac_config) => function rb_acl_plugin(schema, options) {
   // which can be a critical security risk
   schema.options.strictQuery = false
 
-  if (!schema.options.isSubSchema) {
+  // TODO: acl should be explicitly on by default and only if set to false in schema definition we remove it
+  if (!schema.options.isSubSchema && schema.options.acl !== false) {
     // Add Access Control fields to top level schemas
     schema.add(get_added_fields())
   }
 
   // Queries
-  schema.pre("find", QUERY, get_query_middleware("find")(ac_config, schema))
-  schema.pre("findOne", QUERY, get_query_middleware("findOne")(ac_config, schema))
+  schema.pre("find", QUERY, get_query_middleware("find")(schema))
+  schema.pre("findOne", QUERY, get_query_middleware("findOne")(schema))
   // TODO: add countDocuments, estimatedDocumentCount
   // aggregate
-
-  schema.pre("findOneAndDelete", QUERY, query_pre_delete(ac_config, schema))
+  schema.pre("findOneAndDelete", QUERY, query_pre_delete(schema))
 
   // Documents create and save
-  schema.pre("save", DOC, function(next, options) {
+  schema.pre("save", DOC_OPTIONS, async function(next, save_options) {
     if (this.$isSubdocument) {
       return next()
     }
 
     const model_name = this.constructor.modelName
-    if (!model_name) {
-      throw new Error("doc pre save model_name is undefined")
-    }
+    assert(model_name, "doc pre save model_name is undefined")
+
+    const collection_name = this.constructor.collection.name
+    assert(collection_name, "doc pre save collection_name is undefined")
 
-    const {ctx} = options
+    const {ctx} = save_options
 
     // when no context, assume admin mode and authorize op
     if (!ctx) {
@@ -93,11 +99,12 @@ const mongoose_plugin = (ac_config) => function rb_acl_plugin(schema, options) {
 
     const user_id = ctx.req.session?.user_id
 
+    const fields = this.modifiedPaths({includeChildren: true})
+
     const doc = this
     // Create
-    // TODO: apply create fields
     if (this.isNew) {
-      const err = check_apply_permissions(ac_config, model_name, "create", user_id, doc)
+      const err = await apply_policies({collection_name, model_name, operation: "create", fields, user_id, doc})
       if (err) {
         console.warn(err)
         return
@@ -111,7 +118,7 @@ const mongoose_plugin = (ac_config) => function rb_acl_plugin(schema, options) {
     }
     // Update
     else {
-      const err = check_apply_permissions(ac_config, model_name, "update", user_id, doc)
+      const err = await apply_policies({collection_name, model_name, operation: "update", fields, user_id, doc})
       if (err) {
         console.warn(err)
         return
@@ -120,7 +127,7 @@ const mongoose_plugin = (ac_config) => function rb_acl_plugin(schema, options) {
     }
   })
 
-  schema.pre("remove", DOC, function(next) {
+  schema.pre("remove", DOC_OPTIONS, function(next) {
     console.log("schema pre REMOVE", this)
     next()
   })

package/src/api/stored-values/get_stored_values.js

@@ -14,14 +14,18 @@ const get_projection = (payload) => {
   return projection
 }
 
-
 const get_stored_values = async(payload, ctx) => {
   const {user_id} = ctx.req.session
   expect(user_id).toBeMongoId()
 
   const projection = get_projection(payload)
 
-  const storage_doc = await UserStoredValues.findOne({_owners: {$in: [user_id]}}, projection, {ctx})
+  const storage_doc = await UserStoredValues.findOne(
+    {_owners: {$in: [user_id]}},
+    projection,
+    {ctx},
+  )
+
   assert(storage_doc, `unable to retrieve storage_doc for user: ${user_id}`)
 
   const result = {

package/src/models/Policy.ts

@@ -0,0 +1,13 @@
+const mongoose = require("../../mongoose")
+
+const Policy = mongoose.model("Policy", {
+  user_id: String,
+  token_hash: String,
+  created_at: {
+    type: Date,
+    expires: 360, // 6min
+    default: Date.now,
+  }
+})
+
+module.exports = Policy

package/src/models/index.js

@@ -1,5 +1,6 @@
 require("./Invite")
 require("./Notification")
+require("./Policy")
 require("./ResetPasswordToken")
 require("./User")
 require("./UserStoredValues")

package/src/access-control/access-control.schema.json

@@ -1,21 +0,0 @@
-{
-  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://schemas.rpcbase.com/schemas/aceess-control.schema.json",
-  "title": "access-control",
-  "type": "object",
-  "properties": {
-    "prop1": {
-      "type": "string",
-      "description": "The person's first name."
-    },
-    "lastName": {
-      "type": "string",
-      "description": "The person's last name."
-    },
-    "age": {
-      "description": "Age in years which must be equal to or greater than zero.",
-      "type": "integer",
-      "minimum": 0
-    }
-  }
-}

package/src/access-control/default-access-control.json

@@ -1,20 +0,0 @@
-{
-  "Invite": {
-    "create": "any",
-    "read": "owner",
-    "update": "owner",
-    "delete": "owner"
-  },
-  "User": {
-    "create": "any",
-    "read": "owner",
-    "update": "owner",
-    "delete": "owner"
-  },
-  "UserStoredValues": {
-    "create": "any",
-    "read": "owner",
-    "update": "owner",
-    "delete": "owner"
-  }
-}

package/src/access-control/get_config.js

@@ -1,34 +0,0 @@
-/* @flow */
-const path = require("path")
-const fs = require("fs")
-
-const default_config = require("./default-access-control.json")
-
-
-const validate_config = (models_dir, config) => {
-  // for each key in config, check if model exists
-  // check if config parameters also exist
-  console.log("access-control:NYI: validate config", models_dir)
-}
-
-
-// this assumes the project is ran from the server/server/ directory
-const get_config = (custom_path) => {
-  const config_path = custom_path || path.join(process.cwd(), "./src/models/access-control.json")
-
-  if (!fs.existsSync(config_path)) {
-    console.log("config path does not exist", config_path)
-  }
-
-  const conf_str = fs.readFileSync(config_path, "utf8")
-  const config = JSON.parse(conf_str)
-
-  const models_dir = path.dirname(config_path)
-  validate_config(models_dir, config)
-
-  return Object.assign(config, default_config)
-}
-
-
-
-module.exports = get_config