@smythos/sre 1.6.1 → 1.6.8

package/src/subsystems/Security/SecureConnector.class.ts

@@ -1,110 +1,110 @@
-import { Connector } from '@sre/Core/Connector.class';
-import { ConnectorService } from '@sre/Core/ConnectorsService';
-import { Logger } from '@sre/helpers/Log.helper';
-import { ACLAccessDeniedError, IAccessCandidate, TAccessLevel, TAccessResult, TAccessTicket } from '@sre/types/ACL.types';
-import { ACL } from './AccessControl/ACL.class';
-import { AccessCandidate } from './AccessControl/AccessCandidate.class';
-import { AccessRequest } from './AccessControl/AccessRequest.class';
-
-const console = Logger('SecureConnector');
-
-export abstract class SecureConnector<TRequest = any> extends Connector<TRequest> {
-    public abstract name: string;
-
-    //this determines the access rights for the requested resource
-    //the connector should check if the resource exists or not
-    //if the resource exists we read its ACL and return it
-    //if the resource does not exist we return an write access ACL for the candidate
-    public abstract getResourceACL(resourceId: string, candidate: IAccessCandidate): Promise<ACL>;
-
-    public async start() {
-        console.info(`Starting ${this.name} connector ...`);
-    }
-
-    public async stop() {
-        console.info(`Stopping ${this.name} connector ...`);
-    }
-
-    protected async hasAccess(acRequest: AccessRequest) {
-        const aclHelper = await this.getResourceACL(acRequest.resourceId, acRequest.candidate).catch((error) => {
-            console.error(`Error getting ACL for ${acRequest.resourceId}: ${error}`);
-            return null;
-        });
-
-        if (!aclHelper) return false;
-
-        //const aclHelper = ACLHelper.from(acl);
-
-        const exactAccess = aclHelper.checkExactAccess(acRequest);
-        if (exactAccess) return true;
-
-        // if the exact access is denied, we check if the candidate has a higher access
-        const ownerRequest = AccessRequest.clone(acRequest).setLevel(TAccessLevel.Owner);
-        const ownerAccess = aclHelper.checkExactAccess(ownerRequest);
-        if (ownerAccess) return true;
-
-        // if the exact access is denied, we check if the requested resource has a public access
-        const publicRequest = AccessRequest.clone(acRequest).setCandidate(AccessCandidate.public());
-        const publicAccess = aclHelper.checkExactAccess(publicRequest);
-        if (publicAccess) return true;
-
-        // if the public access is denied, we check if the candidate's team has access
-        const accountConnector = ConnectorService.getAccountConnector();
-        const teamId = await accountConnector.getCandidateTeam(acRequest.candidate);
-        const teamRequest = AccessRequest.clone(acRequest).setCandidate(AccessCandidate.team(teamId));
-        const teamAccess = aclHelper.checkExactAccess(teamRequest);
-        if (teamAccess) return true;
-
-        // if the team access is denied, we check if the team has a higher access
-        const teamOwnerRequest = AccessRequest.clone(teamRequest).setLevel(TAccessLevel.Owner);
-        const teamOwnerAccess = aclHelper.checkExactAccess(teamOwnerRequest);
-        if (teamOwnerAccess) return true;
-
-        return false;
-    }
-    public async getAccessTicket(resourceId: string, request: AccessRequest): Promise<TAccessTicket> {
-        const sysAcRequest = AccessRequest.clone(request).resource(resourceId);
-        const accessTicket = {
-            request,
-            access: (await this.hasAccess(sysAcRequest)) ? TAccessResult.Granted : TAccessResult.Denied,
-        };
-
-        return accessTicket as TAccessTicket;
-    }
-
-    //#region [ Decorators ]==========================
-
-    //AccessControl decorator
-    //This decorator will inject the access control logic into storage connector methods
-    // in order to work properly, the connector expects the resourceId to be the first argument and the access request to be the second argument
-
-    static AccessControl(target: any, propertyKey: string, descriptor: PropertyDescriptor) {
-        // Store the original method in a variable
-        const originalMethod = descriptor.value;
-
-        // Modify the descriptor's value to wrap the original method
-        descriptor.value = async function (...args: any[]) {
-            // Extract the method arguments
-            const [acRequest, resourceId] = args;
-
-            if (resourceId !== undefined) {
-                //: getAccessTicket requires a resourceId
-                //FIXME: implement different access control for resources listing and methods that do not require a resourceId
-                // Inject the access control logic
-                const accessTicket = await this.getAccessTicket(resourceId, acRequest);
-                if (accessTicket.access !== TAccessResult.Granted) {
-                    console.error(`Access denied for ${acRequest.candidate.id} on ${resourceId}`);
-                    throw new ACLAccessDeniedError('Access Denied');
-                }
-            }
-
-            // Call the original method with the original arguments
-            return originalMethod.apply(this, args);
-        };
-
-        // Return the modified descriptor
-        return descriptor;
-    }
-
-    //#endregion
-}
+import { Connector } from '@sre/Core/Connector.class';
+import { ConnectorService } from '@sre/Core/ConnectorsService';
+import { Logger } from '@sre/helpers/Log.helper';
+import { ACLAccessDeniedError, IAccessCandidate, TAccessLevel, TAccessResult, TAccessTicket } from '@sre/types/ACL.types';
+import { ACL } from './AccessControl/ACL.class';
+import { AccessCandidate } from './AccessControl/AccessCandidate.class';
+import { AccessRequest } from './AccessControl/AccessRequest.class';
+
+const console = Logger('SecureConnector');
+
+export abstract class SecureConnector<TRequest = any> extends Connector<TRequest> {
+    public abstract name: string;
+
+    //this determines the access rights for the requested resource
+    //the connector should check if the resource exists or not
+    //if the resource exists we read its ACL and return it
+    //if the resource does not exist we return an write access ACL for the candidate
+    public abstract getResourceACL(resourceId: string, candidate: IAccessCandidate): Promise<ACL>;
+
+    public async start() {
+        console.info(`Starting ${this.name} connector ...`);
+    }
+
+    public async stop() {
+        console.info(`Stopping ${this.name} connector ...`);
+    }
+
+    protected async hasAccess(acRequest: AccessRequest) {
+        const aclHelper = await this.getResourceACL(acRequest.resourceId, acRequest.candidate).catch((error) => {
+            console.error(`Error getting ACL for ${acRequest.resourceId}: ${error}`);
+            return null;
+        });
+
+        if (!aclHelper) return false;
+
+        //const aclHelper = ACLHelper.from(acl);
+
+        const exactAccess = aclHelper.checkExactAccess(acRequest);
+        if (exactAccess) return true;
+
+        // if the exact access is denied, we check if the candidate has a higher access
+        const ownerRequest = AccessRequest.clone(acRequest).setLevel(TAccessLevel.Owner);
+        const ownerAccess = aclHelper.checkExactAccess(ownerRequest);
+        if (ownerAccess) return true;
+
+        // if the exact access is denied, we check if the requested resource has a public access
+        const publicRequest = AccessRequest.clone(acRequest).setCandidate(AccessCandidate.public());
+        const publicAccess = aclHelper.checkExactAccess(publicRequest);
+        if (publicAccess) return true;
+
+        // if the public access is denied, we check if the candidate's team has access
+        const accountConnector = ConnectorService.getAccountConnector();
+        const teamId = await accountConnector.getCandidateTeam(acRequest.candidate);
+        const teamRequest = AccessRequest.clone(acRequest).setCandidate(AccessCandidate.team(teamId));
+        const teamAccess = aclHelper.checkExactAccess(teamRequest);
+        if (teamAccess) return true;
+
+        // if the team access is denied, we check if the team has a higher access
+        const teamOwnerRequest = AccessRequest.clone(teamRequest).setLevel(TAccessLevel.Owner);
+        const teamOwnerAccess = aclHelper.checkExactAccess(teamOwnerRequest);
+        if (teamOwnerAccess) return true;
+
+        return false;
+    }
+    public async getAccessTicket(resourceId: string, request: AccessRequest): Promise<TAccessTicket> {
+        const sysAcRequest = AccessRequest.clone(request).resource(resourceId);
+        const accessTicket = {
+            request,
+            access: (await this.hasAccess(sysAcRequest)) ? TAccessResult.Granted : TAccessResult.Denied,
+        };
+
+        return accessTicket as TAccessTicket;
+    }
+
+    //#region [ Decorators ]==========================
+
+    //AccessControl decorator
+    //This decorator will inject the access control logic into storage connector methods
+    // in order to work properly, the connector expects the resourceId to be the first argument and the access request to be the second argument
+
+    static AccessControl(target: any, propertyKey: string, descriptor: PropertyDescriptor) {
+        // Store the original method in a variable
+        const originalMethod = descriptor.value;
+
+        // Modify the descriptor's value to wrap the original method
+        descriptor.value = async function (...args: any[]) {
+            // Extract the method arguments
+            const [acRequest, resourceId] = args;
+
+            if (resourceId !== undefined) {
+                //: getAccessTicket requires a resourceId
+                //FIXME: implement different access control for resources listing and methods that do not require a resourceId
+                // Inject the access control logic
+                const accessTicket = await this.getAccessTicket(resourceId, acRequest);
+                if (accessTicket.access !== TAccessResult.Granted) {
+                    console.error(`Access denied for ${acRequest.candidate.id} on ${resourceId}`);
+                    throw new ACLAccessDeniedError('Access Denied');
+                }
+            }
+
+            // Call the original method with the original arguments
+            return originalMethod.apply(this, args);
+        };
+
+        // Return the modified descriptor
+        return descriptor;
+    }
+
+    //#endregion
+}

package/src/subsystems/Security/Vault.service/Vault.helper.ts

@@ -1,30 +1,30 @@
-import { ConnectorService } from '@sre/Core/ConnectorsService';
-import { AccessCandidate } from '../AccessControl/AccessCandidate.class';
-import axios from 'axios';
-import config from '@sre/config';
-import qs from 'qs';
-
-export class VaultHelper {
-    static async getTeamKey(key: string, teamId: string): Promise<string> {
-        const vaultConnector = ConnectorService.getVaultConnector();
-        return await vaultConnector.requester(AccessCandidate.team(teamId)).get(key);
-    }
-
-    static async getUserKey(key: string, userId: string): Promise<string> {
-        const vaultConnector = ConnectorService.getVaultConnector();
-        const accountConnector = ConnectorService.getAccountConnector();
-
-        const teamId = await accountConnector.getCandidateTeam(AccessCandidate.user(userId));
-
-        return await vaultConnector.requester(AccessCandidate.team(teamId)).get(key);
-    }
-
-    static async getAgentKey(key: string, agentId: string): Promise<string> {
-        const vaultConnector = ConnectorService.getVaultConnector();
-        const accountConnector = ConnectorService.getAccountConnector();
-
-        const teamId = await accountConnector.getCandidateTeam(AccessCandidate.agent(agentId));
-
-        return await vaultConnector.requester(AccessCandidate.team(teamId)).get(key);
-    }
-}
+import { ConnectorService } from '@sre/Core/ConnectorsService';
+import { AccessCandidate } from '../AccessControl/AccessCandidate.class';
+import axios from 'axios';
+import config from '@sre/config';
+import qs from 'qs';
+
+export class VaultHelper {
+    static async getTeamKey(key: string, teamId: string): Promise<string> {
+        const vaultConnector = ConnectorService.getVaultConnector();
+        return await vaultConnector.requester(AccessCandidate.team(teamId)).get(key);
+    }
+
+    static async getUserKey(key: string, userId: string): Promise<string> {
+        const vaultConnector = ConnectorService.getVaultConnector();
+        const accountConnector = ConnectorService.getAccountConnector();
+
+        const teamId = await accountConnector.getCandidateTeam(AccessCandidate.user(userId));
+
+        return await vaultConnector.requester(AccessCandidate.team(teamId)).get(key);
+    }
+
+    static async getAgentKey(key: string, agentId: string): Promise<string> {
+        const vaultConnector = ConnectorService.getVaultConnector();
+        const accountConnector = ConnectorService.getAccountConnector();
+
+        const teamId = await accountConnector.getCandidateTeam(AccessCandidate.agent(agentId));
+
+        return await vaultConnector.requester(AccessCandidate.team(teamId)).get(key);
+    }
+}

package/src/subsystems/Security/Vault.service/VaultConnector.ts

@@ -1,29 +1,29 @@
-import { ACL } from '@sre/Security/AccessControl/ACL.class';
-import { AccessCandidate } from '@sre/Security/AccessControl/AccessCandidate.class';
-import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
-import { SecureConnector } from '@sre/Security/SecureConnector.class';
-import { IAccessCandidate, IACL } from '@sre/types/ACL.types';
-
-export interface IVaultRequest {
-    get(keyId: string): Promise<string>;
-    exists(keyId: string): Promise<boolean>;
-    listKeys(): Promise<string[]>;
-}
-
-export abstract class VaultConnector extends SecureConnector {
-    constructor(protected _settings?: any) {
-        super(_settings);
-    }
-    requester(candidate: AccessCandidate): IVaultRequest {
-        return {
-            get: async (keyId: string) => this.get(candidate.readRequest, keyId),
-            exists: async (keyId: string) => this.exists(candidate.readRequest, keyId),
-            listKeys: async () => this.listKeys(candidate.readRequest),
-        };
-    }
-
-    public abstract getResourceACL(resourceId: string, candidate: IAccessCandidate): Promise<ACL>;
-    protected abstract get(acRequest: AccessRequest, keyId: string): Promise<string>;
-    protected abstract exists(acRequest: AccessRequest, keyId: string): Promise<boolean>;
-    protected abstract listKeys(acRequest: AccessRequest): Promise<string[]>;
-}
+import { ACL } from '@sre/Security/AccessControl/ACL.class';
+import { AccessCandidate } from '@sre/Security/AccessControl/AccessCandidate.class';
+import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
+import { SecureConnector } from '@sre/Security/SecureConnector.class';
+import { IAccessCandidate, IACL } from '@sre/types/ACL.types';
+
+export interface IVaultRequest {
+    get(keyId: string): Promise<string>;
+    exists(keyId: string): Promise<boolean>;
+    listKeys(): Promise<string[]>;
+}
+
+export abstract class VaultConnector extends SecureConnector {
+    constructor(protected _settings?: any) {
+        super(_settings);
+    }
+    requester(candidate: AccessCandidate): IVaultRequest {
+        return {
+            get: async (keyId: string) => this.get(candidate.readRequest, keyId),
+            exists: async (keyId: string) => this.exists(candidate.readRequest, keyId),
+            listKeys: async () => this.listKeys(candidate.readRequest),
+        };
+    }
+
+    public abstract getResourceACL(resourceId: string, candidate: IAccessCandidate): Promise<ACL>;
+    protected abstract get(acRequest: AccessRequest, keyId: string): Promise<string>;
+    protected abstract exists(acRequest: AccessRequest, keyId: string): Promise<boolean>;
+    protected abstract listKeys(acRequest: AccessRequest): Promise<string[]>;
+}

package/src/subsystems/Security/Vault.service/connectors/HashicorpVault.class.ts

@@ -1,46 +1,46 @@
-import { ConnectorService } from '@sre/Core/ConnectorsService';
-import { Logger } from '@sre/helpers/Log.helper';
-import { AccessCandidate } from '@sre/Security/AccessControl/AccessCandidate.class';
-import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
-import { ACL } from '@sre/Security/AccessControl/ACL.class';
-import { SecureConnector } from '@sre/Security/SecureConnector.class';
-import { IAccessCandidate, TAccessLevel, TAccessRole } from '@sre/types/ACL.types';
-import { IVaultRequest, VaultConnector } from '../VaultConnector';
-
-const console = Logger('HashicorpVault');
-export class HashicorpVault extends VaultConnector {
-    public name: string = 'HashicorpVault';
-
-    constructor(protected _settings: any) {
-        super(_settings);
-        //hashicorp client/api
-    }
-
-    @SecureConnector.AccessControl
-    protected async get(acRequest: AccessRequest, keyId: string) {
-        return null;
-    }
-
-    @SecureConnector.AccessControl
-    protected async exists(acRequest: AccessRequest, keyId: string) {
-        return false;
-    }
-
-    @SecureConnector.AccessControl
-    protected async listKeys(acRequest: AccessRequest) {
-        return [];
-    }
-
-    public async getResourceACL(resourceId: string, candidate: IAccessCandidate) {
-        //FIXME : this is for dev, it always give full access, we must update the logic
-        const accountConnector = ConnectorService.getAccountConnector();
-        const teamId = await accountConnector.getCandidateTeam(candidate);
-        const acl = new ACL();
-
-        acl.addAccess(TAccessRole.Team, teamId, TAccessLevel.Owner)
-            .addAccess(TAccessRole.Team, teamId, TAccessLevel.Read)
-            .addAccess(TAccessRole.Team, teamId, TAccessLevel.Write);
-
-        return acl;
-    }
-}
+import { ConnectorService } from '@sre/Core/ConnectorsService';
+import { Logger } from '@sre/helpers/Log.helper';
+import { AccessCandidate } from '@sre/Security/AccessControl/AccessCandidate.class';
+import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
+import { ACL } from '@sre/Security/AccessControl/ACL.class';
+import { SecureConnector } from '@sre/Security/SecureConnector.class';
+import { IAccessCandidate, TAccessLevel, TAccessRole } from '@sre/types/ACL.types';
+import { IVaultRequest, VaultConnector } from '../VaultConnector';
+
+const console = Logger('HashicorpVault');
+export class HashicorpVault extends VaultConnector {
+    public name: string = 'HashicorpVault';
+
+    constructor(protected _settings: any) {
+        super(_settings);
+        //hashicorp client/api
+    }
+
+    @SecureConnector.AccessControl
+    protected async get(acRequest: AccessRequest, keyId: string) {
+        return null;
+    }
+
+    @SecureConnector.AccessControl
+    protected async exists(acRequest: AccessRequest, keyId: string) {
+        return false;
+    }
+
+    @SecureConnector.AccessControl
+    protected async listKeys(acRequest: AccessRequest) {
+        return [];
+    }
+
+    public async getResourceACL(resourceId: string, candidate: IAccessCandidate) {
+        //FIXME : this is for dev, it always give full access, we must update the logic
+        const accountConnector = ConnectorService.getAccountConnector();
+        const teamId = await accountConnector.getCandidateTeam(candidate);
+        const acl = new ACL();
+
+        acl.addAccess(TAccessRole.Team, teamId, TAccessLevel.Owner)
+            .addAccess(TAccessRole.Team, teamId, TAccessLevel.Read)
+            .addAccess(TAccessRole.Team, teamId, TAccessLevel.Write);
+
+        return acl;
+    }
+}