@smartive/graphql-magic 1.0.1

package/src/models.ts

@@ -0,0 +1,228 @@
+import type { Context } from './context';
+import type { OrderBy } from './resolvers/arguments';
+import type { Directive, Value } from './values';
+
+export type RawModels = RawModel[];
+
+export type RawModel =
+  | ScalarModel
+  | EnumModel
+  | RawEnumModel
+  | InterfaceModel
+  | ObjectModel
+  | RawObjectModel
+  | JsonObjectModel;
+
+type BaseModel = {
+  name: string;
+  plural?: string;
+  description?: string;
+};
+
+export type ScalarModel = BaseModel & { type: 'scalar' };
+
+export type EnumModel = BaseModel & { type: 'enum'; values: string[]; deleted?: true };
+
+export type RawEnumModel = BaseModel & { type: 'raw-enum'; values: string[] };
+
+export type InterfaceModel = BaseModel & { type: 'interface'; fields: ModelField[] };
+
+export type RawObjectModel = BaseModel & {
+  type: 'raw-object';
+  fields: ModelField[];
+  rawFilters?: { name: string; type: string; list?: boolean; nonNull?: boolean }[];
+};
+
+export type JsonObjectModel = BaseModel & {
+  type: 'json-object';
+  json: true;
+  fields: Pick<ModelField, 'type' | 'name' | 'nonNull'>[];
+};
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- data is derived from the models
+export type Entity = Record<string, any>;
+
+export type Action = 'create' | 'update' | 'delete' | 'restore';
+
+export type MutationHook = (
+  model: Model,
+  action: Action,
+  when: 'before' | 'after',
+  data: { prev: Entity; input: Entity; normalizedInput: Entity; next: Entity },
+  ctx: Context
+) => Promise<void>;
+
+export type ObjectModel = BaseModel & {
+  type: 'object';
+  interfaces?: string[];
+  // createdAt, createdBy, updatedAt, updatedBy can be null
+  nonStrict?: boolean;
+  queriable?: boolean;
+  listQueriable?: boolean;
+  creatable?: boolean;
+  updatable?: boolean;
+  deletable?: boolean;
+  displayField?: string;
+  defaultOrderBy?: OrderBy;
+  fields: ModelField[];
+
+  // temporary fields for the generation of migrations
+  deleted?: true;
+  oldName?: string;
+};
+
+export type InputObject = {
+  name: string;
+  type: string;
+  nonNull?: boolean;
+};
+
+export const isObjectModel = (model: RawModel): model is ObjectModel => model.type === 'object';
+
+export const isEnumModel = (model: RawModel): model is EnumModel => model.type === 'enum';
+
+export const isRawEnumModel = (model: RawModel): model is RawEnumModel => model.type === 'raw-enum';
+
+export const isScalarModel = (model: RawModel): model is ScalarModel => model.type === 'scalar';
+
+export const isRawObjectModel = (model: RawModel): model is RawObjectModel => model.type === 'raw-object';
+
+export const isJsonObjectModel = (model: RawModel): model is RawObjectModel => model.type === 'json-object';
+
+export const isEnumList = (models: RawModels, field: ModelField) =>
+  field?.list === true && models.find(({ name }) => name === field.type)?.type === 'enum';
+
+export const and =
+  (...predicates: ((field: ModelField) => boolean)[]) =>
+  (field: ModelField) =>
+    predicates.every((predicate) => predicate(field));
+
+export const not = (predicate: (field: ModelField) => boolean) => (field: ModelField) => !predicate(field);
+
+export const isRelation = ({ relation }: ModelField) => !!relation;
+
+export type VisibleRelationsByRole = Record<string, Record<string, string[]>>;
+
+export const isVisibleRelation = (visibleRelationsByRole: VisibleRelationsByRole, modelName: string, role: string) => {
+  const whitelist = visibleRelationsByRole[role]?.[modelName];
+  return ({ name }: Field) => (whitelist ? whitelist.includes(name) : true);
+};
+
+export const isToOneRelation = ({ toOne }: ModelField) => !!toOne;
+
+export const isQueriableField = ({ queriable }: ModelField) => queriable !== false;
+
+export const isRaw = ({ raw }: ModelField) => !!raw;
+
+export const isVisible = ({ hidden }: ModelField) => hidden !== true;
+
+export const isSimpleField = and(not(isRelation), not(isRaw));
+
+export const isUpdatable = ({ updatable }: ModelField) => !!updatable;
+
+export const isCreatable = ({ creatable }: ModelField) => !!creatable;
+
+export const isQueriableBy = (role: string) => (field: ModelField) =>
+  isQueriableField(field) && (!field.queriableBy || field.queriableBy.includes(role));
+
+export const isUpdatableBy = (role: string) => (field: ModelField) =>
+  isUpdatable(field) && (!field.updatableBy || field.updatableBy.includes(role));
+
+export const isCreatableBy = (role: string) => (field: ModelField) =>
+  isCreatable(field) && (!field.creatableBy || field.creatableBy.includes(role));
+
+export const actionableRelations = (model: Model, action: 'create' | 'update' | 'filter') =>
+  model.fields.filter(
+    ({ relation, ...field }) =>
+      relation &&
+      field[`${action === 'filter' ? action : action.slice(0, -1)}able` as 'filterable' | 'creatable' | 'updatable']
+  );
+
+export type Field = {
+  name: string;
+  type: string;
+  default?: Value;
+  list?: boolean;
+  nonNull?: boolean;
+  args?: Field[];
+  directives?: Directive[];
+};
+
+export type ModelField = Field & {
+  primary?: boolean;
+  unique?: boolean;
+  filterable?: boolean;
+  defaultFilter?: Value;
+  searchable?: boolean;
+  possibleValues?: Value[];
+  orderable?: boolean;
+  comparable?: boolean;
+  relation?: boolean;
+  onDelete?: 'cascade' | 'set-null';
+  reverse?: string;
+  toOne?: boolean;
+  foreignKey?: string;
+  queriable?: false;
+  queriableBy?: string[];
+  creatable?: boolean;
+  creatableBy?: string[];
+  updatable?: boolean;
+  updatableBy?: string[];
+  generated?: boolean;
+  raw?: boolean;
+  json?: boolean;
+  dateTimeType?: 'year' | 'date' | 'datetime' | 'year_and_month';
+  stringType?: 'email' | 'url' | 'phone';
+  floatType?: 'currency' | 'percentage';
+  unit?: 'million';
+  intType?: 'currency';
+  min?: number;
+  max?: number;
+  // The tooltip is "hidden" behind an icon in the admin forms
+  tooltip?: string;
+  // The description is always visible below the inputs in the admin forms
+  description?: string;
+  large?: true;
+  maxLength?: number;
+  double?: boolean;
+  precision?: number;
+  scale?: number;
+  defaultValue?: string | number | ReadonlyArray<string> | undefined;
+  endOfDay?: boolean;
+  obfuscate?: true;
+  // If true the field must be filled within forms but can be null in the database
+  required?: boolean;
+  indent?: boolean;
+  // If true the field is hidden in the admin interface
+  hidden?: boolean;
+
+  // temporary fields for the generation of migrations
+  deleted?: true;
+  oldName?: string;
+};
+
+export type Models = Model[];
+
+export type Model = ObjectModel & {
+  fieldsByName: Record<string, ModelField>;
+  relations: Relation[];
+  relationsByName: Record<string, Relation>;
+  reverseRelations: ReverseRelation[];
+  reverseRelationsByName: Record<string, ReverseRelation>;
+};
+
+export type Relation = {
+  field: ModelField;
+  model: Model;
+  reverseRelation: ReverseRelation;
+};
+
+export type ReverseRelation = {
+  name: string;
+  type: string;
+  foreignKey: string;
+  toOne: boolean;
+  model: Model;
+  field: ModelField;
+  fieldModel: Model;
+};

package/src/permissions/check.ts

@@ -0,0 +1,239 @@
+import { Knex } from 'knex';
+import { FullContext } from '../context';
+import { NotFoundError, PermissionError } from '../errors';
+import { Model } from '../models';
+import { AliasGenerator, hash, ors } from '../resolvers/utils';
+import { get, getModelPlural, summonByName } from '../utils';
+import { BasicValue } from '../values';
+import { PermissionAction, PermissionLink, PermissionStack } from './generate';
+
+export const getPermissionStack = (
+  ctx: Pick<FullContext, 'permissions' | 'user'>,
+  type: string,
+  action: PermissionAction
+): boolean | PermissionStack => {
+  const rolePermissions = ctx.permissions[ctx.user.role];
+  if (typeof rolePermissions === 'boolean' || rolePermissions === undefined) {
+    return !!rolePermissions;
+  }
+
+  const typePermissions = rolePermissions[type];
+  if (typeof typePermissions === 'boolean' || typePermissions === undefined) {
+    return !!typePermissions;
+  }
+
+  const actionPermission = typePermissions[action];
+  if (typeof actionPermission === 'boolean' || actionPermission === undefined) {
+    return !!actionPermission;
+  }
+
+  return actionPermission;
+};
+
+export const applyPermissions = (
+  ctx: Pick<FullContext, 'models' | 'permissions' | 'user' | 'knex'>,
+  type: string,
+  tableAlias: string,
+  query: Knex.QueryBuilder,
+  action: PermissionAction,
+  verifiedPermissionStack?: PermissionStack
+): boolean | PermissionStack => {
+  const permissionStack = getPermissionStack(ctx, type, action);
+
+  if (permissionStack === true) {
+    return permissionStack;
+  }
+
+  if (permissionStack === false) {
+    // eslint-disable-next-line @typescript-eslint/no-floating-promises -- we do not need to await knex here
+    query.where(false);
+    return permissionStack;
+  }
+
+  if (
+    verifiedPermissionStack?.every((prefixChain) =>
+      permissionStack.some(
+        (chain) =>
+          hash(prefixChain) === hash(chain.slice(0, -1)) &&
+          // TODO: this is stricter than it could be if we add these checks to the query
+          !('where' in get(chain, chain.length - 1)) &&
+          !('me' in get(chain, chain.length - 1))
+      )
+    )
+  ) {
+    // The user has access to a parent entity with one or more from a set of rules, all of which are inherited by this entity
+    // No need for additional checks
+    return permissionStack;
+  }
+
+  // eslint-disable-next-line @typescript-eslint/no-floating-promises -- we do not need to await knex here
+  ors(
+    query,
+    permissionStack.map(
+      (links) => (query) =>
+        query
+          .whereNull(`${tableAlias}.id`)
+          .orWhereExists((subQuery) => permissionLinkQuery(ctx, subQuery, links, ctx.knex.raw(`"${tableAlias}".id`)))
+    )
+  );
+
+  return permissionStack;
+};
+
+/**
+ * Check whether entity as currently in db can be mutated (update or delete)
+ */
+export const getEntityToMutate = async (
+  ctx: Pick<FullContext, 'models' | 'permissions' | 'user' | 'knex'>,
+  model: Model,
+  where: Record<string, BasicValue>,
+  action: 'UPDATE' | 'DELETE' | 'RESTORE'
+) => {
+  const query = ctx.knex(model.name).where(where).first();
+  let entity = await query.clone();
+
+  if (!entity) {
+    throw new NotFoundError('Entity to mutate');
+  }
+
+  applyPermissions(ctx, model.name, model.name, query, action);
+  entity = await query;
+  if (!entity) {
+    throw new PermissionError(action, `this ${model.name}`);
+  }
+
+  return entity;
+};
+
+/**
+ * Check whether given data can be written to db (insert or update)
+ */
+export const checkCanWrite = async (
+  ctx: Pick<FullContext, 'models' | 'permissions' | 'user' | 'knex'>,
+  model: Model,
+  data: Record<string, BasicValue>,
+  action: 'CREATE' | 'UPDATE'
+) => {
+  const permissionStack = getPermissionStack(ctx, model.name, action);
+
+  if (permissionStack === true) {
+    return;
+  }
+  if (permissionStack === false) {
+    throw new PermissionError(action, getModelPlural(model));
+  }
+
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- using `select(1 as any)` to instantiate an "empty" query builder
+  const query = ctx.knex.select(1 as any).first();
+  let linked = false;
+
+  for (const field of model.fields
+    .filter(({ relation }) => relation)
+    .filter((field) => field.generated || (action === 'CREATE' ? field.creatable : field.updatable))) {
+    const foreignKey = field.foreignKey || `${field.name}Id`;
+    const foreignId = data[foreignKey] as string;
+    if (!foreignId) {
+      continue;
+    }
+
+    const fieldPermissions = field[action === 'CREATE' ? 'creatableBy' : 'updatableBy'];
+    if (fieldPermissions && !fieldPermissions.includes(ctx.user.role)) {
+      throw new PermissionError(action, `this ${model.name}'s ${field.name}`);
+    }
+
+    linked = true;
+
+    const fieldPermissionStack = getPermissionStack(ctx, field.type, 'LINK');
+
+    if (fieldPermissionStack === true) {
+      // User can link any entity from this type, just check whether it exists
+      // eslint-disable-next-line @typescript-eslint/no-floating-promises -- we do not need to await knex here
+      query.whereExists((subQuery) => subQuery.from(`${field.type} as a`).whereRaw(`a.id = ?`, foreignId));
+      continue;
+    }
+
+    if (fieldPermissionStack === false || !fieldPermissionStack.length) {
+      throw new PermissionError(action, `this ${model.name}'s ${field.name}`);
+    }
+
+    // eslint-disable-next-line @typescript-eslint/no-floating-promises -- we do not need to await knex here
+    ors(
+      query,
+      fieldPermissionStack.map(
+        (links) => (query) => query.whereExists((subQuery) => permissionLinkQuery(ctx, subQuery, links, foreignId))
+      )
+    );
+  }
+
+  if (linked) {
+    const canMutate = await query;
+    if (!canMutate) {
+      throw new PermissionError(action, `this ${model.name} because there are no entities you can link it to`);
+    }
+  } else if (action === 'CREATE') {
+    throw new PermissionError(action, `this ${model.name} because there are no entity types you can link it to`);
+  }
+};
+
+const permissionLinkQuery = (
+  ctx: Pick<FullContext, 'models' | 'user'>,
+  subQuery: Knex.QueryBuilder,
+  links: PermissionLink[],
+  id: Knex.RawBinding | Knex.ValueDict
+) => {
+  const aliases = new AliasGenerator();
+  let alias = aliases.getShort();
+  const { type, me, where } = links[0]!;
+  // eslint-disable-next-line @typescript-eslint/no-floating-promises -- we do not need to await knex here
+  subQuery.from(`${type} as ${alias}`);
+  if (me) {
+    // eslint-disable-next-line @typescript-eslint/no-floating-promises -- we do not need to await knex here
+    subQuery.where({ [`${alias}.id`]: ctx.user.id });
+  }
+  if (where) {
+    applyWhere(summonByName(ctx.models, type), subQuery, alias, where, aliases);
+  }
+
+  for (const { type, foreignKey, reverse, where } of links) {
+    const model = summonByName(ctx.models, type);
+    const subAlias = aliases.getShort();
+    if (reverse) {
+      // eslint-disable-next-line @typescript-eslint/no-floating-promises -- we do not need to await knex here
+      subQuery.leftJoin(`${type} as ${subAlias}`, `${alias}.${foreignKey || 'id'}`, `${subAlias}.id`);
+    } else {
+      // eslint-disable-next-line @typescript-eslint/no-floating-promises -- we do not need to await knex here
+      subQuery.rightJoin(`${type} as ${subAlias}`, `${alias}.id`, `${subAlias}.${foreignKey || 'id'}`);
+    }
+    // eslint-disable-next-line @typescript-eslint/no-floating-promises -- we do not need to await knex here
+    subQuery.where({ [`${subAlias}.deleted`]: false });
+    if (where) {
+      applyWhere(model, subQuery, subAlias, where, aliases);
+    }
+    alias = subAlias;
+  }
+  // eslint-disable-next-line @typescript-eslint/no-floating-promises -- we do not need to await knex here
+  subQuery.whereRaw(`"${alias}".id = ?`, id);
+};
+
+const applyWhere = (model: Model, query: Knex.QueryBuilder, alias: string, where: any, aliases: AliasGenerator) => {
+  for (const [key, value] of Object.entries(where)) {
+    const relation = model.relationsByName[key];
+
+    if (relation) {
+      const subAlias = aliases.getShort();
+      // eslint-disable-next-line @typescript-eslint/no-floating-promises -- we do not need to await knex here
+      query.leftJoin(
+        `${relation.model.name} as ${subAlias}`,
+        `${alias}.${relation.field.foreignKey || `${relation.field.name}Id`}`,
+        `${subAlias}.id`
+      );
+      applyWhere(relation.model, query, subAlias, value, aliases);
+    } else if (Array.isArray(value)) {
+      // eslint-disable-next-line @typescript-eslint/no-floating-promises -- we do not need to await knex here
+      query.whereIn(`${alias}.${key}`, value);
+    } else {
+      // eslint-disable-next-line @typescript-eslint/no-floating-promises -- we do not need to await knex here
+      query.where({ [`${alias}.${key}`]: value });
+    }
+  }
+};

package/src/permissions/generate.ts

@@ -0,0 +1,143 @@
+import { Models } from '../models';
+import { summonByName } from '../utils';
+
+export type PermissionAction = 'READ' | 'CREATE' | 'UPDATE' | 'DELETE' | 'RESTORE' | 'LINK';
+
+const ACTIONS: PermissionAction[] = ['READ', 'CREATE', 'UPDATE', 'DELETE', 'RESTORE', 'LINK'];
+
+/**
+ * Initial representation (tree structure, as defined by user).
+ */
+export type PermissionsConfig = {
+  [role: string]:
+    | true
+    | {
+        [type: string]: PermissionsBlock;
+      };
+};
+
+export type PermissionsBlock = {
+  [action in PermissionAction]?: true;
+} & {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  WHERE?: Record<string, any>;
+  RELATIONS?: {
+    [relation: string]: PermissionsBlock;
+  };
+};
+
+/**
+ * Final representation (lookup table (role, model, action) -> permission stack).
+ */
+export type Permissions = {
+  [role: string]: true | RolePermissions;
+};
+
+type RolePermissions = {
+  [type: string]: {
+    [action in PermissionAction]?: true | PermissionStack;
+  };
+};
+
+/**
+ * For a given role, model and action,
+ * this represents the list of potential (join) paths
+ * that would grant permission to perform that action.
+ */
+export type PermissionStack = PermissionChain[];
+
+export type PermissionChain = PermissionLink[];
+
+export type PermissionLink = {
+  type: string;
+  foreignKey?: string;
+  reverse?: boolean;
+  me?: boolean;
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  where?: any;
+};
+
+export const generatePermissions = (models: Models, config: PermissionsConfig) => {
+  const permissions: Permissions = {};
+  for (const [role, roleConfig] of Object.entries(config)) {
+    if (roleConfig === true) {
+      permissions[role] = true;
+      continue;
+    }
+    const rolePermissions: RolePermissions = {};
+    for (const [key, block] of Object.entries(roleConfig)) {
+      const type = key === 'me' ? 'User' : key;
+      if (key !== 'me' && !('WHERE' in block)) {
+        rolePermissions[type] = {};
+        for (const action of ACTIONS) {
+          if (action === 'READ' || action in block) {
+            rolePermissions[type]![action] = true;
+          }
+        }
+      }
+      addPermissions(
+        models,
+        rolePermissions,
+        [
+          {
+            type,
+            ...(key === 'me' && { me: true }),
+            ...('WHERE' in block && { where: block.WHERE }),
+          },
+        ],
+        block
+      );
+    }
+    permissions[role] = rolePermissions;
+  }
+
+  return permissions;
+};
+
+const addPermissions = (models: Models, permissions: RolePermissions, links: PermissionLink[], block: PermissionsBlock) => {
+  const { type } = links[links.length - 1]!;
+  const model = summonByName(models, type);
+
+  for (const action of ACTIONS) {
+    if (action === 'READ' || action in block) {
+      if (!permissions[type]) {
+        permissions[type] = {};
+      }
+      if (!permissions[type]![action]) {
+        permissions[type]![action] = [];
+      }
+      if (permissions[type]![action] !== true) {
+        (permissions[type]![action] as PermissionStack).push(links);
+      }
+    }
+  }
+
+  if (block.RELATIONS) {
+    for (const [relation, subBlock] of Object.entries(block.RELATIONS)) {
+      const field = model.fields.find((field) => field.relation && field.name === relation);
+      let link: PermissionLink;
+      if (field) {
+        link = {
+          type: field.type,
+          foreignKey: field.foreignKey || `${field.name}Id`,
+          reverse: true,
+        };
+      } else {
+        const field = model.reverseRelationsByName[relation]!;
+
+        if (!field) {
+          throw new Error(`Relation ${relation} in model ${model.name} does not exist.`);
+        }
+
+        link = {
+          type: field.model.name,
+          foreignKey: field.foreignKey,
+        };
+      }
+      if (subBlock.WHERE) {
+        link.where = subBlock.WHERE;
+      }
+      addPermissions(models, permissions, [...links, link], subBlock);
+    }
+  }
+};

package/src/permissions/index.ts

@@ -0,0 +1,4 @@
+// created from 'create-ts-index'
+
+export * from './check';
+export * from './generate';